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.INFRASTRUCTURE LOG 

_DAY 82: There are so many risks out there. So many things 
that can happen to our business: natural disasters, spikes 
in traffic, mergers. How do we prepare? One in three 
companies don’t recover from unplanned downtime. 1 Would we? 

_Gil has wrapped everything in the office with bubble wrap. 
Everything. Just to be safe. 

_DAY 83: I’m preparing with IBM Business Resilience Solutions. 
IBM Business Continuity Services can help us assess our risks 
and design a proactive plan to deal with them. IBM Tivoli gives us 
the visibility to diagnose and fix infrastructure problems. 

And the robust availability features of the IBM System p™ give 
us maximum uptime. The future feels so much safer now. 

_No more bubble wrap. And I have to mail a package. Great. 



Take the business continuity assessment at: 

IBM.COM/TAKEBACKCONTROL/READY 
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specifically to aid the Server Core experience, comes 
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Michael Ote 


Here are 10 key features, such as price, snapshots, and 
cloning, that should make choosing between VMware 
Workstation and VMware Server a virtual snap. 
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Your organization is global and so is your IT infrastructure. Some days that means you 
need to operate and solve problems in 12 time zones. With Avocent, you can solve 
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Messaging Management 

G uarding against growing threats to the corporate email and 
IM environment has become an all-consuming task for IT 
professionals. Now is the time for IT security pros to ensure that 
the mainstays of their defense strategy are pulling their weight. 
This valuable free guide explains why securing a mail and 
messaging infrastructure shouldn’t be an afterthought—every 
organization needs to plan for appropriate message hygiene, 
availability, and control services from the start. 

www.windowsitpro.com/go/ebook/symantec/ 


IM, VoIP, Peer-to-Peer File Sharing, 
and Games in the Workplace 

T he rapid emergence of Web 2.0 is redefining how individu¬ 
als interact with the Internet, but the related technologies 
pose a plethora of new threats. Download this white paper to 
learn about approaches to controlling such applications and 
how integrating blocking of unauthorized applications into your 
existing malware detection and management infrastucture can 
lower cost and management overhead. 

www.windowsitpro.com/go/sophos/wp/games/?code=novcitc 


Protect Against 
Internet-Based Threats 

O ver the years, viruses, phishing, pharming, and malicious 
Web sites have made the Internet an increasingly danger¬ 
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guard against Internet-based threats. 

www.windowsitpro.com/go/wp/websense/threats/?code=novcitc 
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Usually, our Office and SharePoint Pro section is like a mini 
publication in the middle of our magazine. But this month, we’re 
devoting most of our print space to the Unified Communications 
section. If you’re looking for more Office and SharePoint informa¬ 
tion, not to worry—I just happen to know where you can find it. 

Check out www.officesharepointpro.com for tips, forums, 
and articles such as Siegfried Jagott’s “SharePoint Integration 
with Outlook 2007”—parts I and 2 are at InstantDoc ID 95919 
and 96154, respectively. In this series, Siegfried explains how 
Office 2007 makes it easy to access information from Share- 
Point sites when you’re offline and what you need to know 
before you synchronize SharePoint document libraries. 


DECEMBER 


Check out our onsite and virtual 
events covering Microsoft Exchange 
Server, SharePoint, virtualization, 
business intelligence (Bl), and more! 

www.windowsitpro.com/events 


_ BY CHRISTAN HUMPHRIES 

In this month’s Top 10 (page 87), Michael Otey clarifies the 
differences between VMware Workstation 6.0 and VMware 
Server 1.0.4. But if you’re more interested in ESX Server, which 
according to Michael is “targeted at the high-end enterprise 
space,” see Alan Sugano’s Web-exclusive articles “VMware 
Infrastructure Starter Package,” InstantDoc ID 97037 and 
“Installing VMware Infrastructure,” InstantDoc ID 97274. Alan 
explains how the VMware Infrastructure starter package will 
bring you up to speed with the ESX hypervisor without a sig¬ 
nificant up-front investment and how to get up and running 
with the platform. 
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IT Pro Perspective 


Microsoft Asks: Who Are You? 

Embracing the social geek “in order to transform perceptions of Microsoft” 


C ustomer loyalty and satisfaction result from good 
products and excellent customer service. To create 
products that fill a need, a company has to under¬ 
stand who its customers are and what they want. Back in the 
1990s, Microsoft generally disregarded its customers and 
is paying the price of low customer satisfaction today. In 
contrast, Apple is a technology company that “gets" its cus¬ 
tomers and inspires fanatical loyalty by creating iiber-cool 
and innovative technology. That loyalty leaves Microsoft 
yearning to win the hearts and minds of IT pros and devel¬ 
opers. Although the company has worked hard to involve 
customers in the development of Windows Vista, Windows 
Server 2008, and other recent releases, IT pro and developer 
satisfaction has been sliding for at least five years. I can 
imagine some frustrated Microsoft workgroup wondering 
what it would take to make IT people happy—and suddenly 
coming to the realization that Microsoft needed to find out 
what makes IT pros and developers tick. 


The Social Geek 

Then along came Mark J. Penn with his book Microtrends: 
The Small Forces Behind Tomorrow's Big Changes (Twelve, 
2007). Penn's research reverses the stereotype of the geek 
as a loner. Penn dubs today's tech-head as the “social geek." 
Penn maintains, “Geeks as we know them have all but 
disappeared.... The social uses of technology, with its new 
emphasis on 'connection,' have far outstripped the antiso¬ 
cial, individualistic purposes technology used to serve." 

Significantly for Microsoft, Penn goes on to say, “The impli¬ 
cations for technology marketing are staggering. Whereas 
tech companies used to target... pasty, lonely guys, now they 
sell having a great PC... as cool.... Being tech-sawy was once 
socially disdained. Now it is at the center of organizing friends, 
parties, and the social life of the family." 

Considering customers as social beings who have a life 
outside of IT has led some marketers at Microsoft to a new 
concept that's not just for marketing but also for improving 
customer satisfaction. That concept is Who Are You (see 
www.wewanttoknow.net) . The idea is for IT pros to show 
off their talents and interests for Microsoft and the world to 
see. Do you sing Karaoke? Upload your video! 


The Magic Bullet 

According to a Microsoft flyer touting the program, “The 
Who Are You campaign focuses on recognizing and celebrat¬ 
ing the IT Professional as a unique individual in order to 
transform perceptions of Microsoft within this key audience. 


The campaign's execution is multi-tiered; it is comprised of 
online visibility, print advertisements, and events where IT 
Professionals can showcase their multidimensional, creative 
personalities as people instead of simply professionals." 

Who Are You is Microsoft's attempt at “crafting an IT 
consumer-base that feels valued for their [sic] creativity 
and individuality." Presumably, this means that if you feel 
Microsoft values your individuality, you'll be enthusiastic 
about the company and a more satisfied customer. 



Your Potential, Their Passion 

I've criticized Microsoft in the past—first for the company's 
indifference to community, then for its drive to manu¬ 
facture and consume “community" instead of interacting 
with customers in an authentic relationship. Although I'm 
not convinced that emulating Apple is the way to achieve a 
true connection with IT, I have to give Microsoft credit for 
continuing attempts to get it right. 

Romi Mahajan (romim@microsoft.com) , a director in 
Microsoft's US subsidiary, told me, “I believe very strongly 
that we all make emotional connections with companies, 
with societies, with different parts of community, with 
each other. And in the absence of the people in the com¬ 
pany understanding truly who you are, it's hard to build an 


Karen 

Forster 

(karen@windowsitpro 
.com) is editorial and 

strategy director for 
Windows IT Pro and SQL 
Server Magazine and for¬ 
mer director of Windows 
Server User Assistance at 
Microsoft. 


“Community is predicated not only on 
an honest dialog, but also an exchange— 
sometimes even a rancorous exchange...” 


emotional connection. I can think of a Microsoft competi¬ 
tor—i.e., Apple—that does it very well." 

For such an effort to succeed, Microsoft can't just con¬ 
sume personal information about its customers. Instead, 
Microsoft employees have to be willing to share their own 
interests and passions. Romi responded, “Community 
is predicated not only on an honest dialog, but also an 
exchange—sometimes even a rancorous exchange—so 
we all get better. I'm not arrogant enough to think I have 
the right to know something about somebody unless I'm 
willing to give equally of myself. We have to find the right 
balance and not try to influence customers, but just show 
up—show up and be benign." 

I'm curious about what you think of Who Are You. How 
much of your personal life do you want to share with Micro¬ 
soft? Email me at Karen@windowsitpro.com, or comment 
online. ^ 
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.INFRASTRUCTURE LOG 


_DAY 74: This is so complicated. We’re spending all our 
time and money managing our boxes. Gil says he has a 
big idea for how to better manage our x86 environment. 

_Gil’s big idea: sheepdogs...says they work for biscuits. 


_DAY 75: I just wrangled up the scalable IBM System x3950. 
Its IBM X3 Architecture and IBM Systems Director make 
it one of the most reliable and economical platforms for 
x86-based virtualization. Managing our servers and storage 
is a snap. And with Dual-Core Intel® Xeon® processors, the 
System x™ servers will run lightning fast. 

_IBM System x. My new best friend. 


Purchase a System x and get a 3-month trial of VMware’ VI3* 


IBM.COM/TAKEBACKCONTROL/VIRTUALIZE 


*The 3-month trial of VMware is subject to the terms and conditions of the promotion, available from VMware. IBM, the IBM logo, System x and Take Back Control are trademarks 
or registered trademarks of International Business Machines Corporation in the U.S. and other countries. Intel, the Intel logo, Xeon and Xeon Inside are trademarks or registered 
trademarks of Intel Corporation in the U.S. and other countries. VMware is a registered trademark of VMware in the U.S. and other countries. © 2007 IBM Corporation. All rights reserved. 
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EDITOR’S 

NOTE 

Windows IT Pro welcomes 
feedback about the maga¬ 
zine. Send comments to 
letters@windowsitpro.com, 

and include your full name, 
email address, and daytime 
phone number. We edit all 
letters and replies for style, 
length, and clarity. 


Editor’s Note 

Long-time reader 
and contributor 
Murat Yildirimoglu 
pointed out that 
the scripts used 
in the June 2007 
article, “It’s 10:00 
p.m., Do You Know 
Who’s Logged On?” 
(InstantDoc ID 
95922), are similar 
to the scripts 
Murat published in 
August 2005 in his 
Reader to Reader 
contribution, 
“Prevent Multiple 
Logons with GPOs” 
(InstantDoc ID 
46952). 


Ultimate Power Tool 

In “The Power of For" (September 
2007, InstantDoc I D 96539) , Mark 
Minasi covered some basics of using 
the For command. I've been using 
For in my scripting for years. It's par¬ 
ticularly powerful when you have a 
simple yet repetitive task to deal with 
or when you have a complex task to 
handle. At one company I worked 
for, I was able to use the For com¬ 
mand with PsExec to deploy applica¬ 
tions to hundreds of desktops in a 
few hours. The beautiful thing is that 
For is free, and it can be a godsend 
for cash-strapped IT teams. 

—Brent McCraney 

If you found Mark's September col¬ 
umn on For useful, be sure to read 
“Counting on For" (October 2007, 
InstantDoc I D 96704) and “The Final 
For" (November 2007, InstantDoc ID 
96903) , in which he explores more 
uses of the For command. 

—Jason Bovberg 


Microsoft’s Competi¬ 
tive Strategy 

I read Karen Forster's IT Pro Per¬ 
spective editorial, “Exchange 2007 
SP1 and Performance Point," (Octo¬ 
ber 2007, InstantDoc I D 96977) and 
want to respond to her questions. 

I wish I didn't have to add servers 
to keep the functionality I already 
have. For example, my company 
uses InfoPath forms that are auto¬ 
matically submitted via email to 
public folders and individuals in 
Exchange. Although some processes 
could probably benefit from Share- 
Point or PerformancePoint, I expect 
that often it won't really matter in 
most cases. But because Exchange 
public folders are going away, I'll 
now have to have SharePoint to 
accomplish the same tasks as before. 

I also don't like having a new 
client that I have to install, update, 
upgrade, and troubleshoot for each 
new Microsoft server. SharePoint is 
an excellent platform for building 
the client interface to all Microsoft 


server systems. Unless an application 
is standalone, like Word, the emphasis 
should be on using SharePoint for the 
client in all cases. Microsoft should 
offer a module to replace Outlook, 
Communicator, Project, and so on. If 
Microsoft is going to make SharePoint 
the console, then do it 100 percent. 

So, I'd say the following to 
Microsoft: 

1. Don't remove functionality 
from existing server systems unless 
the user community isn't using it. 

2. It's OK to add servers if it will 
give companies additional function¬ 
ality. 

3. Build SharePoint into a central¬ 
ized console before you try forcing 
customers into it. In fact, make Share- 
Point so good that you won't have to 
convince your customers to adopt it. 

If Microsoft took this advice, it 
wouldn't have to worry about Google 
or anyone else. 

—Nate McAlmond 

You can read Nate's complete letter and 
my comments on my Hey Microsoft! 
blog at www. windowsitpro. com/ 
Article/ArticlelD/ 

97390/Too_Many_ 

New_Microsoft_ 

Clients_and_ 

Servers.html 


—Karen Forster 


Security 
Risks 
Revisited 

Security is the reason 
feremy Schubert gave 
in “IT Pro Hero: User 
Logon Tracking Redux" (September 
2007, InstantDoc I D 96633) for modi¬ 
fying the user logon tracking from 
the fune 2007 article “It's 10:00 p.m., 
Do You Know Who's Logged On?" 
(InstantDoc I D 95922) . feremy stated 
that it was a potential security risk to 
have the logs open on a share. 

It's just as much of a risk to have 
the EventSave freeware utility available 
for user execution. EventSave's default 



behavior is to clear the local computer 
event logs to text files stored in the 
same directory as the .exe file. If an 
end user were to find the .exe file, he 
or she could run it, clearing out their 
local event viewer. In my opinion, this 
security risk is just as great as allowing 
user access to write/append the batch 
script-generated logs that the fune 
article mentions. 

—Ashley Ames 


Totally Free 
Utilities—NOT 

In “8 More Absolutely Cool, Totally 
Free Utilities" (September 2007, 
InstantDoc ID 96628) , Douglas 
Toombs lists System Information for 
Windows (SIW) as one of his favorite 
utilities. When I went to download 
the utility, however, I found that it 
isn't totally free. Here's the relevant 
portion of the End User License 
Agreement (EULA): “This Software 
is being distributed as Freeware for 
personal, non-commercial use. It 
may be freely used, copied and dis¬ 
tributed as long as it is used only for 
personal purposes. Use 
on multiple PCs in a 
corporate, educational, 
non-profit, military or 
government instal¬ 
lation is prohibited." 
SIW might be a great 
utility, but I can't use 
it for my employer 
without purchasing a 
paid version. 

—Stan Anderson 

I apologize for the 
oversight. I had read the 
quote, “SIW is a standalone utility 
that does not require installation 
(Portable Freeware)" on Gabriel 
Topala's Web site, gtopala.com, and 
took it at face value. As it turns out, 
Stan is right. “Free," in this case, 
applies only to personal use, not com¬ 
mercial. I'll read the EULAs more 
thoroughly for the next article. ^ 

—Douglas Toombs 
InstantDoc ID 97499 
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INFRASTRUCTURE LOG 


_DAY 79: Our IT environment is rigid and inflexible. 

We can’t adapt to our changing business needs. Oh no.. 
I was afraid of this. We’re so rigid, we’re stuck in time. 

_Infrastructurus prehistoricus. I’ve read about this. 

_DAY 80: I’m taking back control with IBM SOA solutions 
Now we have the hardware, software and services 
we need to respond to change. IT strategy, planning and 
implementation are in tune with our specific business 
needs. We’re deploying and updating business processes 
faster and more efficiently. We’re evolving! 

_Good-bye, rigid past. Hello, flexible future. 


Take the SOA business value assessment at: 

IBM.COM/TAKEBACKCONTROL/SOA 


WebSphere 


IBM, the IBM logo, WebSphere and Take Back Control are trademarks or registered trademarks ofjInternational Business Machines Corporation in the United States and/or other countries. 
©2007 IBM Corporation. All rights reserved. 
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Only Ninja Email Security has a dedicated image-spam detection engine 

Image spam plays by different rules, designed to defy the old standard antispam practices that the other guys still try to use. 
Only Ninja Email Security for Exchange gives you a dedicated engine designed to beat image spam at its own game, and kill it. 

AWARDS 



2007 

WINNER 

Honored in the U.S. 



Mutation-proof: In addition to its own image-spam engine, 

Ninja leverages the built-in Cloudmark engine to “fingerprint” 
image spam. Even if images mutate from one day to the next, the 
fingerprints don’t. This one-two punch is murder on text spam too. 

Ninja is the all-in-one, best-of-breed, third- 
generation email security solution: Ninja’s plug in 
architecture integrates policy-based antispam, antivirus, attach¬ 
ment filtering, and disclaimer modules on your Exchange server. 

Policy-based control: Ninja’s extensive policy creation 
capabilities help ensure messages are handled properly according 
to your company’s business processes and security policies. 

SMART™ attachment filtering:* Ninja has the first policy-based attachment filter. It polices attachments based on 
email direction - inbound, outbound or within the organization. Additionally, Ninja looks inside many types of files to see 
their true identity, rather than blindly trusting file extensions, which can easily be faked. 




Info Security Products Guide 

CUSTOMER TRUST 


Dual-engine antivirus: Ninja combines the power of two high-quality AV engines: Authentium and BitDefender. 

Disclaimers: Ninja’s Disclaimer plug-in provides global and user-based disclaimers for all outbound email. You can 
configure policy-based disclaimers based on specific users, 
groups, domains, or public folders. 

Download your free evaluation copy at: 

www. sunbeltsoftware. com/ninjawin 



Sunbelt Software 


Email sales@sunbeltsoftware.com or call 1-888-688-8457 
for your 50% discount competitive upgrade offer 


SunbeltSoftware Tel: 1-888-688-8457 or 1-727-562-0101 Fax: 1-727-562-5199 www.sunbeltsoftware.com sales@sunbeltsoftware.com 

^Suspicious Mail Attachment Removal Technology™ 

© 2007 Sunbelt Software. All rights reserved. Ninja Email Security and Suspicious Mail Attachment Removal Technology are trademarks of Sunbelt Software. All trademarks used are owned by their respective companies. 

Competitive upgrade based on 50% of the Ninja list price. 




















































What You Need to Know About... 

How Windows Server 2008 Developed 


W ith Windows Server 2008 heading toward first 
quarter 2008 launch, I sat down with Alex 
Hinrichs, the Server 2008 project manager, to 
discuss the development of the product and how changes 
to it will benefit customers going forward. There's no doubt 
about it: Server 2008 is the most customer-driven version 
of Windows Server yet, and though it's a major revision 
that will surely bring with it some compatibility problems 
in the short term, the long-term benefits are obvious and 
unassailable. Here's what you need to know about the 
development of Server 2008. 

Hinrichs Maneuver 

Much of the work around Windows Server occurs in Build¬ 
ing 43 on the Microsoft campus in Redmond. Alex Hinrichs 
runs the Windows Server ship room and manages the 
development of this increasingly complex product line that 
affects almost every level of Microsoft's customers. He sets 
the schedule, defines the processes, and is the point man 
for any decisions that need to be pushed up the ladder to his 
superior, Iain McDonald, or Bill Laing, the general manager 
of Microsoft's Server Business. 

A 12-year Microsoft veteran, Hinrichs was originally 
hired as a Windows NT program manager. He worked as the 
release product manager for all Small Business Server (SBS) 
releases from SBS 4.0 to SBS 2003. On the heels of SBS 2003's 
completion, Hinrichs jumped over to Windows Server. 

Define Servers by the Roles 
They Perform 

The fundamental change in Windows Server development 
has been the move to a roles-based management architec¬ 
ture. Microsoft began working on nascent versions of this 
architecture as far back as Windows 2000, but it wasn't until 
Server 2008 that the OS was finally componentized, allow¬ 
ing the management roles inside the product to map both 
to the underlying architecture and to the product groups 
working on Windows Server. 

"The thing we really hang our hat on is that we've had a 
clear vision for Windows Server 2008 from the beginning," 
Hinrichs said. "We talked to our customers and they don't 
think of the product in terms of product versions, but rather 
about the server boxes. In their data center and server 
rooms, they can point to different machines and say, 'That's 
the domain controller, that's the file server, that's the Web 
server, and that's DHCP.' That's how they think. The problem 
is, we produce a Swiss Army-knife kind of server product 


that does a bunch of different things. But customers wanted 
to define their servers by the roles they performed." Thus, the 
roles-based architecture in Windows Server was born. 

"This also allows us to better engineer the product from 
the start," Hinrichs added. "Roles define things from the 
beginning, and deep componentization means we can 
install as little functionality as possible by default and give 
admins only exactly what they need." Even Microsoft's 
engineering teams, with few exceptions, are organized 
by roles. "We have general managers and product unit 
managers whose job, literally, is to manage things like the 
Terminal Services business, the Active Directory business, 
the IIS business, and so on," Hinrichs said. "We engineer the 
product soup to nuts to make that happen. Again, it's a very 
clear focus and vision that helped us scope the product and 
make the right decisions." 

Manage Complex Product Changes 

From a process perspective, Server 2008 has been in devel¬ 
opment longer than any previous version of Windows 
Server. To manage such a complex product over many 
years and not run into the problems that, quite frankly, were 
rampant with the Windows Vista team, is an achievement. 
In stark contrast to that of Vista, Server 2008 development 
was steady, sure, and without controversy. 

"The way we get to this point is that we had a clear fea¬ 
ture list from the start," Hinrichs told me. "We locked down 
the bulk of the features we wanted to include in 2005, and 
did a final triage on features back in December 2006. Of 
course one or two things did trickle in over time, but the 
feature list was locked and loaded at end of 2006." 

By doing so, the Windows Server team was able to hit 
its milestones as well as an impressive quality bar without 
having to "churn the code" in response to unexpected 
feature additions. "We just have so many OS components," 
Hinrichs said. "If you make a change to some low-level 
component, components that are high on the stack can be 
affected. So you have to lock it early. It reduces the amount 
of shifted sand." 

This clear vision of a roles-based product lets Microsoft 
steer a ship that would otherwise be unwieldy. "We can tell 
a few thousand people [in the Server division] that this is 
what we are doing, and then they can execute on it," Hin¬ 
richs said. "The scope of our customer base is pretty big, 
from small businesses to the enterprise. But it's not as big 
a challenge as what you see on the client [i.e., Vista] where 
the scope runs from the consumer all the way up to the 
enterprise desktop." 
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Replay the Positives from 
Windows 2003 

The development of Server 2008 was also 
affected by lessons Microsoft learned from 
previous product versions. “What we tried to 
do with Windows Server 2008 is take the posi¬ 
tives from the Windows Server 2003 playbook 
and replay those," Hinrichs said. “And then we 
avoid the mistakes. We know what's working 
because customers tell us it's good." 

The most important lesson was to deploy 
early and often. Microsoft knew that some 
of the more “disruptive" server roles—Web 
server, Active Directory (AD), Network Access 
Protection (NAP), Terminal Services Gate¬ 
way—needed to be rock solid before they 
could be shipped in final form to customers. 
So these roles got at least 18 months of testing 
internally at Microsoft and externally with its 
Technology Adoption Program (TAP) custom¬ 
ers. “Over time, we've discovered that that's 
the magic time period," Hinrichs noted. “So 
that's what we've done, and over two years in 
some cases. We deployed Beta 2 [back in 2005] 
within Microsoft and externally with 50 cus¬ 
tomers we watch very closely. They get weekly 
calls and extra funding and people out to visit 
them on the road regularly. They were running 
[Server 2008's] Active Directory two years ago, 
just like [Microsoft]." 

Feedback from the TAP deployments led to 
a dramatic improvement in quality as Micro¬ 
soft fixed bugs related to reliability and usabil¬ 
ity. “We'd get admins telling us that certain UIs 
didn't make sense," Hinrichs added. “Eventu¬ 
ally we got to the point where the Active Direc¬ 
tory role was so stable that every Monday we're 
updating our Windows development domain 
with the Monday build. It's in such good shape. 
But you can only do that with 18 months of 
deployment to validate that it's ready." 

Realistically, Microsoft realizes that even 
the most stringent beta test process won't 
uncover all bugs because some issues simply 
don't crop up until you've gotten the product 
out in the real world. “We can't predict every¬ 
thing," Hinrichs told me. “So the only way to 
make sure is to deploy broadly. We built that 
religion with Windows 2000/2003, and it's the 
mantra we live by for 2008." 

Microsoft IIS is another good example. 
Microsoft has been incredibly aggressive 
deploying IIS internally and externally, and 
Microsoft.com has been running on the IIS 
version in Server 2008 for years now. Micro¬ 
soft also pushed the IIS Go Live program to 
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customers as early as Beta 3. “The message 
is simple," Hinrichs said: “Deploy, deploy, 
deploy." 

A Compartmentalized 
Build Process That Flows 

Internally, Microsoft has restructured the build 
process for Server 2008 so that the process, like 
the product itself, is more compartmentalized. 
A Main OS build is created every day, as with 
previous product versions, but the process 
of getting revisions into that Main build is far 
more granular than before. 


Under the server roles group, for example, 
you'll see subgroups such as the AD team, 
the Terminal Services team, the IIS team, and 
about 20 others. The developmental lead on 
the AD team checks in code at the server roles 
level while inheriting code from above. After 
that code is ready for broader consumption, it's 
checked into a higher branch and consolidated 
back into the Main development tree. This pro¬ 
cess is ongoing, obviously, and requires people 
at each level who can be trusted to monitor the 
quality and necessity of new code additions. 

“There's code flowing up and down the 
tree nonstop," Hinrichs said, “but we maintain 
high quality at both levels by a set of quality 
gates. These gates are looking at BVTs [build 
verification tests], a battery of tests against sub- 
builds that make sure something the AD guys 
do doesn't break other things or prevent other 
teams from testing. Everything has to work." 

Microsoft also runs code quality tools 
which look for security bugs, buffer overruns, 
and anything else that might cause problems. 
There are also code dependency checks— 
some 40-odd layers of dependencies between 
components, Hinrichs told me. “To maintain 
the componentization of the OS, you have to 
make sure you aren't unwittingly breaking 
dependencies." The goal of all these tests is to 


catch these issues far down on the tree so that 
they affect the smallest possible group of devel¬ 
opers. “All these tools run overnight," Hinrichs 
said. “And we get status reports in the morning. 
We can see where different teams are." 

Because of the componentization of the 
development process with Server 2008, the 
ship room strategy has also changed since 
Windows 2003. “It's more evolved now," Hin¬ 
richs said. “We don't just have the main ship 
room. Now we also have seven distributed 
ship rooms, run by people who meet with the 
people checking in code below them. They 
all have daily meetings, as does the main ship 


room. The main ship room's agenda is simple: 
Who in the seven distributed ship rooms is 
ready to bring code up [the tree into the Main 
build]?" 

While the main ship room is still used for 
triaging code bugs, many of these bugs are 
now handled lower in the tree, so the main 
ship room's emphasis has changed some¬ 
what. “We communicate what the focus is, the 
testing we're doing, but we have to rely on 
local expertise [lower in the tree]," Hinrichs 
said. “It's much more distributed now, with 
more local ownership. The system is just so 
big. As you can imagine, the people in the 
middle tier have awful jobs, awful. They have 
to work up and down the tree and end up 
working their butts off. They have over 20 
groups below them and me on the top. It's a 
very, very tough job." 

Looking Ahead 

In future issues of Windows IT Pro and on our 
SuperSite for Windows, I will continue this 
behind-the-scenes look at the development of 
Server 2008. Stay tuned for more information 
about Microsoft's internal build process for this 
very complex product. ^ 

InstantDoc ID 97400 


“The problem 1S, we produce a 
Swiss Army-knife kind of server product 
that does a bunch of different things. But 
customers wanted to define their servers 
by the roles they performed.” 

—Alex Hinrichs, 
Windows Server 2008 product manager 
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2 More PDF 
Utilities to Lighten 
Your Computer’s 
Load 

In his Reader to Reader article 
"Lighten Your Com¬ 
puter's Load”(Sep¬ 
tember, InstantDoc 
ID 96615) , Apostolos 
Fotalcelis talks about 
some free programs 
that he uses to make 
his computers less 
resource-hungry. I 
used to use all of those 
programs. However, 
when I upgraded 
to Windows Vista 
recently, I discovered 
that I could no longer 
use PDFCreator. For¬ 
tunately, I found an 
alternative: CutePDF 
(www.cutepdf.com) . 

CutePDF is free, does 
everything that PDF¬ 
Creator can do, and is 
Vista friendly. 

Another PDF util¬ 
ity that I like using is PDFTools 1.3 
(www.sheelapps.com) . This free pro¬ 
gram lets you: 

• encrypt a PDF file by assigning it a 
password 

• create a protection-free version of 
encrypted PDF file 

• create a PDF file by joining multiple 
PDF files 

• split a PDF file in multiple ways, 
such as splitting each page to new 
PDF file and splitting a file after a 
given page number 

• arrange pages in a PDF file 

• overlay text or an image over a PDF 
file 



• convert an XML file into a PDF file 

Note that you need lava Runtime 
Environment/lava Development 
Kit QRE/IDK) 1.4 or later to use 

PDFTools. This pro¬ 
gram works great with 
either Vista or Win¬ 
dows XP. 

—Jeff Owens, 
System Administrator, 
Key Fasteners Corp. 

InstantDoc ID 97404 
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If you need to quickly mount a 


VHD image to see its contents, 
you can use the VHD Mount 
utility. 


Mount and 
Dismount 
VHD Images 
on Command 

If you've joined the vir¬ 
tualization revolution, 
there are times when 
you might need to 
quickly mount a Micro¬ 
soft Virtual Hard Disk 
(VHD) image to see its 
contents, just like any 
ordinary hard disk. If 
you're running Micro¬ 
soft Virtual Server 2005 R2 with SP1, 
you already have a utility you can use: 
VHD Mount (vhdmountexe). 

VHD Mount comes installed in the 
C:\Program Files\Microsoft Virtual 
ServerWhdmount folder. You can use 
this tool from the command line; the 
commands are pretty straightforward. 
To mount an image, follow the syntax 

vhdmount.exe /m vhd_path drive 

where vhd_path is the path to the 
.vhd file you want to mount and 
drive is the drive letter to which you 
want to assign the image. You need 
to specify the colon 
after the drive letter 
(e.g., F:). 

By default, VHD 
Mount creates an 
undo disk for each 
mounted image, just 
like Microsoft Vir¬ 
tual PC and Virtual 
Server do. If you want 


to override this behavior and write 
directly to the mounted image, you 
can add the /f switch: 

vhdmount.exe /m vhd_path drive /f 

To dismount an image, you have 
two options. If you want to save any 
changes you've made to the VHD 
before dismounting, follow the syn¬ 
tax: 

vhdmount.exe /u /c vhd_path 

If you don't want to save any changes 
you've made to the VHD before dis¬ 
mounting, use this syntax instead: 

vhdmount.exe /u /d vhd_path 

Note that you need administrative 
rights to run VHD Mount. 

—Apostolos Fotakelis, Systems 
Administrator, Aristotle University of 
Thessaloniki, and freelance IT consultant 

InstantDoc ID 97396 


2 Tricks to Try When 
Existing Devices 
Don’t Seem to Work 
on Vista 

At my company, we recently started 
to roll out Windows Vista on some 
of our machines. As we expected, a 
lot of devices no longer work. Take, 
for example, our laptops that use 
USRobotics' USR5420 USB wireless 
device instead of a built-in Wi-Fi chip. 
The driver doesn't install on Vista 
unless we copy the installation CD- 
ROM to the C drive, then configure 
the installer to run as Windows XP 
SP2 using administrator privileges. 
When we do this, the installer com¬ 
pletes and Vista is able to access 
Wi-Fi networks. 

Unfortunately, this trick didn't 
work with our HP Scanjet 7450c 
digital flatbed scanner. This scanner 
is connected to a Windows Server 
2003 R2 server through a USB device, 
and we use HP's Precision Scan Pro 
software to share this scanner over 
the network. On XP, we install the 
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scanner's driver and an HP utility 
called Scan to Network, which tells 
the scanner driver to use the net¬ 
work printer instead of a local one. 

On Vista, we were able to run the 
installer without changing the instal¬ 
lation program's compatibility mode, 
but when we started up the Preci¬ 
sion Scan Pro software, we received 
numerous JavaScript errors, followed 
by a message saying that the scanner 
wasn't available. 

When we tried changing the com¬ 
patibility mode of the scanning soft¬ 
ware to XP SP2 and running it under 
administrator privileges, we didn't 
even receive JavaScript errors. We 
only got the message that the scanner 
wasn't available. However, when I 
changed the settings of the scanning 
software back to the default settings 
(i.e., run as Vista, no administrator 
privileges), the scanner was avail¬ 
able. I have since tested this trick on 
several other computers and in every 
case the scanner worked. Somehow, 
setting the scanning software to run 
as Windows XP SP2 under adminis¬ 
trator privileges, then setting it back 
to the default settings fixed all the 
problems. 

Maybe these two tricks will work 
with other devices that don't initially 
work with Vista. Shame on HP and 
other manufacturers for not provid¬ 
ing new software and drivers for 
"legacy" hardware. 

—Peter Wong 

InstantDoc I D 97395 

Centrally Control 
IE 7.0 Settings 
with Vista’s 
Administrative 
Template 

One of my clients recently upgraded 
the browsers on all its workstations 
from Microsoft Internet Explorer (IE) 
6.0 to IE 7.0. One reason why the cli¬ 
ent decided to perform the upgrade 
was because IE 7.0 lets you centrally 
control settings. Specifically, the cli¬ 
ent was interested in the centralized 
control of IE's RSS feature, so the 
client asked me to implement a solu¬ 


tion to provide this control. 

After doing some research, I 
decided to install Windows Vista's 
Administrative Template files on 
the existing domain controller (DC) 
running Windows Server 2003 Active 
Directory (AD) and administer the 
RSS settings through Group Policy. 
Vista's Administrative Template dif¬ 
fers from its predecessors' Adminis¬ 
trative Template. Vista replaces the 
.adm file with a pair of files: an XML- 
based .admx file and a language-spe¬ 
cific .adml file. You store these files in 
what is called a central store. Here's 
how I implemented the solution: 

1. I set up a central store on 
the existing DC by creating a new 
%systemroot%\sysvolWoraaz>Apoli- 
cies\PolicyDefinitions folder, where 
domain is the domain's name. Under 
the newly created folder, I created a 
subfolder named %systemroot%\sys- 
volWoraa/rApolicies\PolicyDefini- 
tions\en-US. 

2. I copied InetRes.admx from the 
%systemroot%\PolicyDefmitions\ 
InetRes.admx folder on my Vista 
system to the %systemroot%\sysvol\ 
domain\ policies\PolicyDefinitions 
folder on the DC. This Administrative 
Template, which is one of many, is 


specifically for IE 7.0 settings. 

3. I copied the %systemroot%\ 
PolicyDefinitions\en-US\InetRes 
.adml file from my Vista system to the 
%systemroot%\sysvolWoraaz>z\ 
policies\PolicyDefinitions\en-US 
folder on the DC. 

4. I ran Group Policy Manage¬ 
ment Console (GPMC) from my Vista 
workstation and created a new policy 
that contained the RSS settings the 
client wanted. 

5. Using the Administrative 
Template, I applied the policy to the 
client's workstations. 

If you want to learn more about 
Vista's Administrative Template 
files, check out the Microsoft 
articles "Dig into New Group 
Policy Templates in Windows 
Vista" (www.microsoft.com/ 
technet/technetmag/issues/2007/ 
02/Templates/default.aspx) and 
"New Format and Functionality 
of Administrative Template Files 
(ADMX)" (technet2.microsoft.com/ 
WindowsVista/en/library/ea452d9f- 
2aca-46ef-9df4-4a5abeaJ47371033 
.mspx?mfr=true). ^ 

—Jian Bo 
InstantDoc ID 97397 
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f New & Improved 


EDITOR’S NOTE: Send new product announcements to products@windowsitpro.com. 



Security 

Virtual-Network Monitor 
Goes Portable 

Catbird Networks launched Pocket V- 
Agent, which runs from a USB stick and 
lets the PC to which it’s connected moni¬ 
tor for vulnerabilities, intrusion detection 
and prevention, policy compliance, and 
unauthorized users on servers running 
multiple virtual machines (VMs) based 
on VMware. Pocket V-Agent monitors 
virtual segments within a host as well as 
physical network segments connected to 
the host. Pocket V-Agent is the portable 
version of the Catbird V-Agent virtual 
appliance, which was launched in June 
2007 For more information, go to www 
.catbird.com. 


Virtualization 

Create, Manage, and 
Distribute Digital Workspaces 

RingCube Technologies has announced 
MojoPac Enterprise Suite, a collection of 
three separate products that rely on vir¬ 
tualization technology to create secure, 
virtualized workspaces. The MojoStation 
lets IT admins create a MojoPac image 
that users download from a secure Web 
site. This image is a secure digital work¬ 
space that can be configured to support 
corporate security and access policies. 
The MojoStation is also isolated and 
encrypted from the host computer for 
additional security. MojoDrive lets IT 
administrators build and load managed 
MojoStation environments onto a USB 
storage device for distribution to a user’s 
PC, and MojoNet is used to distribute a 
secure MojoPac image over a corporate 
network. According to RingCube, MojoNet 
takes advantage of all the peripherals, 
connections, and processing ability of 
the host PC. To find your Mojo, contact 


RingCube Technologies at 650-265- PostPath at 650-810-8100, or go to 

0326, or visit www.mojopac.com.www.postpath.com. 


Exchange/Messaging 

PostPath Offers Broad 
Mobile Device Support, 
Improved Performance 

The recent release of PostPath Server 
3.0, a Microsoft Exchange Server alter¬ 
native, includes support for BlackBerry 
Enterprise Server (BES) and Microsoft 
ActiveSync, the push technologies used 
by the majority of mobile devices. In 
addition, performance improvements 
such as a synchronization cache allow 
mobile device support, which the vendor 
claims is significantly faster than what 
Exchange provides. PostPath Server is 
natively compatible with Active Direc¬ 
tory (AD) as well as Exchange Server 
2007/2003/2000, which helps users 
who are migrating gradually from 
Exchange. For more information, contact 


Backup and Recovery 

Integrated, 

Cross-Platform CDP 

BakBone Software today announced 
NetVault: Backup 8.0. The newest 
release of the company’s data protection 
solution expands the product’s feature 
set and introduces integrated continu¬ 
ous data protection (CDP) capabilities. 
BakBone’s new CDP offering, called 
NetVault: TrueCDP, helps customers 
meet aggressive recovery point objec¬ 
tives for valuable and time-sensitive 
data. NetVault: Backup 8.0 offers cross¬ 
platform support for Linux, Windows, 
and Solaris environments. For more 
information, contact BakBone Software 
at 858-450-9009, or visit www 
.bakbone.com. ^ 

InstantDoc ID 97391 



Strangeloop Networks has 

released the Strangeloop AppScaler, an appliance that optimizes Microsoft 
ASP.NET and AJAX Web applications in real time without the need for devel¬ 
oper code changes or system administrator infrastructure modifications. The 
AppScaler is designed to address performance problems arising from the 
deployment of numerous rich, dynamic Web applications within the enterprise. 
With an AppScaler appliance deployed in an enterprise data center between 
the application servers and the network load balancer, ASP.NET applications 
can be scaled out while ensuring high performance. A feature of the appliance, 
called Dynamic Choreography, transforms Microsoft-recommended techniques 
for optimizing application performance into real-time, adaptive, network-based 
optimization—in other words, faster page loads and decreased bandwidth use. 
For more information, contact Strangeloop Networks at 604-638-1744 or 
800-763-1712, or visit www.strangeloopnetworks.com. 
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Insights from the industry 



Outlook Web Access Security Risks Often Overlooked 


M ore and more companies have to deal with remote workers, whether 
because of satellite offices, telecommuters, employees who travel, or 
employees simply putting in extra hours from home. And these workers require 
and expect easy access to their email Inboxes, no matter where they are. For 
organizations that use Microsoft Exchange Server, Outlook Web Access (OWA) 
is an easy alternative to VPN for accessing email remotely. It provides access to 
email from any Web browser. However, one of the biggest concerns IT pros face 
with an OWA implementation is security. Even though most companies use ISA 
Server and other technologies such as RSA encryption and forms-based authen¬ 
tication (FBA), OWA still presents vulnerabilities that these technologies don’t 
address. 

OWA vulnerabilities fall into two main categories: Email attachments that 
might contain confidential information can be read, copied, and printed by people 
not authorized to open them, and OWA accounts can be accessed by unauthor¬ 
ized users. According to Messageware founder and President Mark Rotman, 
when someone uses OWA and opens an email attachment it remains in the 

browser’s cache. When the user leaves his or her computer, the document is left behind and is whoever uses the computer next can retrieve 
the document, even after the original user has logged off from the OWA session. 

The other vulnerability is a navigation-related threat. If an OWA user walks away from his or her computer without closing the Web 
browser, the user’s OWA session is left exposed; the next person to use the computer can simply hit the back button or check the history to 
get back to the user’s OWA session without entering any credentials. 

Authentication or security products such as ISA, RSA, or FBA secure the infrastructure and perimeter of networks, but they don’t 
_ address specifically a Web mail applica¬ 
tion. “Organizations spend a lot of money 
and effort on securing access points, the 
point at which passwords or tokens are col¬ 
lected,” said Rotman, “and that security is 
circumvented when a user navigates away 
from the OWA page to check something 
on Google while at Starbucks and then 
walks away. That session is left active for 
an extended period of time.” Think about 
all the types of company information that 
users’ Inboxes contain, and you begin to 
see the magnitude of the problem. 

Rotman added that with ISA and FBA, 
there’s still a 15-20 minute timeout period 
that leaves the computer exposed when a 
user walks away. In addition, an FBA screen 

has buttons that ask users whether this is a public computer or a private computer. “Users quickly realize that policies are less stringent if 
they click private,” he said. “So many users just always click private. That can circumvent the 20-minute timeout. That takes security out of 
the IT department and places it into the hands of users.” 

Messageware seeks to put OWA security back into the IT department and has developed several products that help to do that. Two of 
them, AttachView and NavGuard, solve the specific problems discussed. With AttachView, the file open button is disabled by default and 
attachments are not automatically cached; they are opened in a secure Web view. Administrators can configure which users or computers 
can open attachments and under what circumstances. NavGuard detects when a user navigates away from an active OWA session, and 
prompts the user to either log off or return to the session. ^ 

InstantDoc ID 97252 
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and CEO of Messageware 


“Organizations spend a lot of 
money and effort on securing access 
points, the points at which pass¬ 
words or tokens are collected. 

That security is circumvented when 
a user navigates away from the OWA 
page to check something on 
Google while at Starbucks and 
then walks away.” 
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“This is by far the best 
defrag product... After 
installing Diskeeper 2008 
I don’t have to worry about 
disk fragmentation ever 
again. It does everything 
for me invisibly in the 
background.” 


It’s Smart. 

It’s Transparent. 

It Will Take Your System From Zero to Sixty— Automatically! 


Automatically and invisibly solve disk performance issues—forever 

File fragmentation—the splitting of files in tens, hundreds or thousands of pieces—puts the brakes 
on system performance. It slows access to a crawl. It causes delayed application launches and slow 
boot ups. It can even cause system crashes. 

Introducing the first and only completely automatic defragmentation solution. New Diskeeper® 2008 with 
InvisiTasking™ defragments in real-time, invisibly in the background. Intelligently monitors and utilizes 
only idle system resources, while users continue to work. And with fragmentation completely eliminated, 
your performance flies. Systems are maintained at peak performance and reliability— automatically! 

► True transparent, background defragmentation, unnoticeable to applications 
and users — except, of course, for the newfound performance and reliability. 

► No scheduling required. Ever. Ever. Ever. 

► Adaptive technology boosts access to your most commonly-requested files, 
beyond defragmentation alone. 

► Work smarter not harder. Each volume is different. Dynamic intelligence determines 
and delivers maximum minute-to-minute benefits with minimal effort. 

► Advanced defragmentation uniquely designed for high-capacity, high traffic disks. 

► No room to move? Extreme fragmentation? No problem. New, complete 
defragmentation in all conditions—even with less than 1 % free space. 

► Critical system file fragmentation now automatically prevented. 

► Allows you to leverage VSS data protection and the performance and reliability 
of defragmentation. 


FREE OFFER 


with InvisiTasking- 

Diskeeper 2008 

Maximizing Performance and Reliability— Automatically ™ 

Try New Diskeeper2008 
Free for 45 Days! 

Download a t www.diskeeper.com/win2008 

Note: Special 45-day trialware is only available at the above link 

Volume licensing, government and educational discounts 
are available from your favorite reseller. For a free quote visit 
www.diskeeper.com/quote10 or call 800-829-6468. Code 4006 


A 


© 2007 Diskeeper Corporation. All Rights Reserved. Diskeeper, Maximum System Performance and Reliability—Automatically, InvisiTasking, and the Diskeeper Corporation 
logo are either registered trademarks or trademarks owned by Diskeeper Corporation in the United States and/or other countries. All other trademarks and brand names are 
the property of their respective owners. Diskeeper Corporation • 7590 N. Glenoaks Blvd. Burbank, CA 91504 • 800-829-6468 • www.diskeeper.com 










Reviews 



= ” Summaries of 

in-depth product 
5* reviews on Paul 
Thurrott’s 
SuperSite for 

_Windows 

www.winsupersite.com_ 


PROS: Aggregates all previous fixes; adds a 
few new Vista-like features 
CONS: Delayed in coming; last XP service 
pack 

RATING: *+**0 
RECOMMENDATION: Windows XP SP3 
should prove a boon to companies of 
all sizes still using Microsoft’s previous 
desktop OS. XP SP3 adds support for 
Network Access Protection in Windows 
Server 2008, key-less new product 
installation, and a new kernel mode 
cryptographic module. You’ll see Internet 
Explorer 7.0 and Windows Media Player 
II bundled as well. Microsoft should have 
delivered XP SP3 two years ago. What 
took so long? 

CONTACT: Microsoft • 800-426-9400 • 
www.microsoft.com 

DISCUSSION: www.winsupersite.com/faq/ 
xp_sp3.asp 




PROS: Huge performance and scalability 
gains; unstructured data support; LINQ 
capabilities 
CONS: None serious 


RATING: ***** 
RECOMMENDATION: SQL Server 2008 is a 
major update to Microsoft’s increasingly 
popular database server and moves into 
a world of non-relational data for the 
first time. It features new development 
possibilities with the Language-Integrated 
Query (LINQ) framework for .NET- 
managed code languages and native 
support for a wide range of unstructured 
data, including file-system-based 
documents. It will launch alongside 
Windows Server 2008 and Microsoft 
Visual Studio 2008 in February, but won’t 
ship until second quarter 2008. 

CONTACT: Microsoft • 800-426-9400 • 
www.microsoft.com 
DISCUSSION: www.winsupersite.com/ 
showcase/sql2008.asp 

InstantDoc ID 97410 
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GPExpert 

Troubleshooting Pak 1.0 

Editor’s Note: Following is a summarized version of 
John Green’s review of GPExpert Troubleshooting Pak 
1.0. To read the full-length version of the article, go to 
www.windowsitpro.com and enter InstantDoc ID 97313. 


SUMMARY 


GPExpert Troubleshooting 
Pak 1.0 

PROS: Provides useful information for Group 
Policy troubleshooting; lets users request a 
Group Policy refresh at will; easy to install 
and use 

CONS: The basic feature set lacks x64 sup¬ 
port, centralized logging, and remote registry 
monitoring. 

RATING: 

PRICE: $5 per managed computer 
(minimum 200 computers) 

RECOMMENDATION: I recommend 
using GPExpert if you rely heavily on Group 
Policy administrative templates for application 
configuration because it can reduce the time 
spent troubleshooting Group Policy problems. 

CONTACT: SDM Software • 
www.sdmsoftware.com • 415-670-9302 


S DM Software’s GPExpert Troubleshooting Pak 
1.0 is a useful set of Group Policy problem-solving 
tools. When you use Group Policy to implement user, 
system, and application settings, and you’re not getting 
the results you’d expect, GPExpert can simplify your 
troubleshooting and give you access to useful informa¬ 
tion you’d otherwise have to work much harder to get. 

GPExpert Troubleshooting Pak 1.0 includes four 
components. The Health Reporter analyzes the current 
state of Group Policy on the local system and informs 
you of any problems. Log Analyzer extracts, presents, 
and interprets information from various Group Policy 
logs and links to related troubleshooting articles. 

Group Policy Spy monitors application access to Group 
Policy-related registry information and lets you know 

which administrative templates are referenced and the applications that use them. The Status Moni¬ 
tor reports Group Policy refresh activity to the local application event log and lets users request a 

Group Policy refresh. 

Health Reporter and Log Monitor will connect to and work with 
remote systems; however, Group Policy Spy works only with the 
local system. Although the first three utilities are intended for use 
by systems administrators, Status Monitor is intended for use on 
end-user workstations, perhaps under the direction of Help desk 
staff. GPExpert is supported for use with 32-bit versions of Win¬ 
dows Vista, Windows Server 2003, and Windows XP 

GPExpert requires the Microsoft Group Policy Management 
Console (GPMC) and .NET Framework 2.0 or later to be installed 
on the target system. I installed GPExpert on several XP systems 
and on two Windows 2003 systems, one a member server and the 
other a domain controller (DC). After GPMC and .NET Framework 
2.0 were installed, GPExpert installation was a quick and easy wiz¬ 
ard-driven process. 

I tested each of GPExpert’s tools with XP systems. Each tool 
provides easy access to information that will help you resolve Group Policy-related problems. How¬ 
ever, the tools offer only a basic feature set—typical of first-version products. In Health Reporter, 
a drop-down list of recently accessed computers would be handy and eliminate the need to enter 
or browse for computers you've previously visited, and its absence reflects this product’s youth. 
Remote registry monitoring in Group Policy Spy, x64 support, and centralized logging of Group 
Policy processing results are some other key features that would enhance GPExpert’s overall utility. 
However, GPExpert is easy to install and use, and the information it provides can be extremely help¬ 
ful. The minimum license requirement of 200 might be more than some organizations need, but at 
$5 per license it isn’t expensive. If you heavily rely on Group Policy, you should download the free 
nine-day trial and check it out. ^ 

InstantDoc ID 97313 
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Review 


Astaro Security Gateway 220 

Editor’s Note: To read the full-length version of this review, go to www.windowsitpro.com 
and enter InstantDoc ID 97266. 


T he Astaro Security Gateway (ASG) 

220 is an appliance that can be 
licensed and configured for a variety of 
network security functions, including fire¬ 
wall, VPN gateway, and intrusion preven¬ 
tion. Three subscription options enhance 
the basic functionality: Web Filtering adds 
virus protection and URL filtering to block 
access to certain Web sites; Email Filtering 
adds virus and spyware protection, phish¬ 
ing protection, and spam filtering; and Email 
Encryption supports digital signing and 
automated email encryption and decryption. 

The ASG 220 is a 2.5GHz Intel Celeron- 
based system with 512MB memory and an 
80GB hard disk. An LCD on the front panel 
displays basic system status, and seven of 
the eight 10/100 Ethernet ports are con¬ 
figurable; the eighth port is dedicated to a 
connection to other ASGs when running in 
high-availability or load-balancing configu¬ 
rations. 

The ASG’s WebAdmin is a browser- 
based interface, developed using Ajax, that 
lets you move quickly between screens. 
Astaro manages updates through the ASG’s 


automatic update service and leaves you 
with the ease-of-use experience you expect 
from an appliance. The interface is well 
organized and gives you granular control. I 
counted 184 active status and configuration 
screens, although I needed only nine to ini¬ 
tially configure the appliance. 

I configured WAN and LAN network 
interfaces, enabled dynamic Network 
Address Translation (NAT) and the intrusion 
prevention system (IPS), and defined three 
basic packet filters to permit internally origi¬ 
nating sessions and drop all other packets. 

With basic configuration complete, I 
enabled the WAN interface. My Skype and 
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T-Mobile Wi-Fi connections came online, 
indicating a successful configuration. I 
accessed a few standard (HTTP) and 
secure (HTTPS) Web sites to further con¬ 
firm that all was working. 

The Network Security status page 
shows statistics for the top IPS attacks 
blocked by IPS rule number. Although 
WebAdmin lets you disable a rule or alter 
the action taken when a rule is triggered, 
it has no interface to display individual IPS 
rule definitions. Astaro plans to add links to 
IPS rule information within WebAdmin in a 
future release. 

The ASG has full site-to-site and 
remote-access VPN support for con¬ 
nection via Secure Sockets Layer (SSL), 
PPTP, IPsec, and L2TP over IPsec. The 
product supports both local-user and 
Remote Authentication Dial-In User Service 
(RAD I US)-based user authentication, as 
well as certificate-based and pre-shared 
key session authentication. 

The ASG worked well in my tests, 
although my experience wasn’t uniformly 
perfect. WebAdmin locked up at times; 

the menu pane updated as I 
clicked in different areas, but 
the detail pane didn’t update 
accordingly. An Astaro 
spokesperson told me that 
this problem results from 
clicking to a new page before 
the current page finishes dis¬ 
playing; Astaro has a fix in the works. 

By default, Web antivirus scanning 
disables download of several file types, 
including .exe files, which can be a prob¬ 
lem for software distribution. Also, filtering 
uncategorized Web pages is enabled by 
default, but WebAdmin shows no sign of 
that on higher-level configuration screens. 
A graphical representation (e.g., a grayed 
check box) when some but not all options 
are enabled would be helpful here. 

In addition to the appliance, Astaro 
Security Gateway Software Appliance—a 
software version of the ASG—can be 
licensed by number of protected IP 


SUMMARY 


Astaro Security Gateway 220 

PROS: Broad feature set includes email 
encryption and signing, VPN, firewall, and 
antivirus; setup is easy, with many configura¬ 
tion options; Web-based administrative inter¬ 
face is very responsive; product is available 
both as an appliance and as software; licens¬ 
ing is favorable, including free use for as many 
as 10 IP addresses in home environment 

CONS: Individual intrusion protection rules 
aren’t visible from WebAdmin 

RATING: 

PRICE: $2 ,550 for appliance with basic 
feature set; $6,645 for appliance and annual 
subscription to email filtering and encryption, 
Web filtering, and support five days per week 

RECOMMENDATION: The Astaro 
Security Gateway 220’s broad feature set and 
ability to be implemented on many platforms 
make it a must-see. Take this flexible, highly 
configurable perimeter security system for a 
test drive. 

CONTACT: Astaro • 877-427-8276 • 
www.astaro.com 


addresses. Astaro offers a free license 
for noncommercial home use for 10 IP 
addresses or fewer, which includes the 
Web Filtering and Email Filtering subscrip¬ 
tions. Astaro also sells a VMware-based 
virtual appliance. The availability of soft¬ 
ware versions lets you quickly bring a 
software-based ASG into operation if the 
appliance fails. 

I’m impressed with the ASG’s feature 
set. It isn’t the easiest firewall appliance to 
configure, but it isn’t far off the mark—which 
is really extraordinary considering its broad 
feature set and plethora of configuration 
options. The ability to quickly configure a 
software-based backup unit will appeal 
to SMBs, and the ability to configure sev¬ 
eral appliances into a high-availability or 
load-balancing pool will appeal to larger 
environments. The inability to see details of 
individual IPS rules within the WebAdmin 
interface is the only significant shortcoming 
I found. The ASG is a must-see. If you’re in 
the market for a perimeter security appliance, 
you should definitely try the ASG 220. ^ 
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Review 




> 


HP Compaq dx2250 Microtower Business PC 


T he HP Compaq dx2250 Microtower 
Business PC provides a great bal¬ 
ance of value and power. The dx2250 was 
designed as a task-oriented value PC and is 
particularly well suited to small-to-midsized 
businesses (SMBs) or large enterprises 
looking to get the most power at the low¬ 
est price point. Although the dx2250 lacks 
some high-end features such as transaction 
processing monitor (TPM) support in the 
BIOS, it does provide some other perfor¬ 
mance features that are unusual in a lower- 
priced system, such as I6x PCI Express 
card and dual-monitor support. 


The unit I reviewed was equipped with 
one AMD Athlon 64 X2 3800+ dual-core 
CPU running at 2GHz; IGB of RAM; an 
80GB 7200rpm Serial ATA (SATA) hard 
drive; an ATI Radeon X300 integrated 
graphics controller with 256MB of allocated 
video memory; and a DVD-RW optical drive. 
There was no diskette drive. The system 
was also equipped with three USB 2.0 ports 
on the front of the unit plus headphone 
and microphone jacks. In addition, there 
was a SmartMedia/xD slot; a Compact- 


Flash Adapter slot; an AD/MMC slot; and a 
Memory Stick Pro/Memory Stick Pro Duo 
slot. Located on the back of the unit was 
a I0/I00MB Ethernet adapter; four USB 
2.0 ports; one serial port; one parallel port; 
an audio line-in port and an audio line-out 
port; a VGA port; a Digital Visual Interface 
(DVI) port; and keyboard and mouse ports. 

The dx2250 utilizes a basic case design 
that’s opened by the removal of two screws. 
Inside the case, the system has a 250-watt 
power supply, two full-height PCI slots, 
one full-sized PCI Express xl slot, and I PCI 
Express xl6 graphics slot. The dx2250 sup¬ 


ports a maximum of 2GB of Double Data 
Rate 2 (DDR2) SDRAM in two DIMM slots. 
Additionally, the dx2250 supports a maxi¬ 
mum of two SATA drives. The microtower 
case design provides plenty of room for 
expandability. 

The dx2250 that I tested came pre- 
loaded with Windows XP Professional SP2. 
You can also get it preloaded with Windows 
Vista Business, Windows XP Home Edition, 
or FreeDOS. HP offers 19 different proces¬ 
sors ranging from the AMD Sempron 3600 


SUMMARY 


HP Compaq dx2250 
Microtower Business PC 

PROS: Excellent value, good performance, 
64-bit compatibility, dual-monitor support 
(with additional ATI graphics card), very quiet 

CONS: No TPM support 

RATING: 

PRICE: Starts at $359; tested configuration, 
$538 

RECOMMENDATION: For SMBs and 
enterprises looking for the most power at the 
lowest price point, this basic value-oriented 
business system is a great choice. 

CONTACT: HP • 800-752-0900 • 
www.hp.com 


to the AMD Athlon dual-core 64 5600+. 

You can choose among three different 
7200rpm hard drive options ranging from 
80GB to 256GB. The system comes with 
HP’s Backup and Recovery Manager, Corel 
InterVideo WinDVD, and a 60-day trial copy 
of Symantec AntiVirus 10. Other software 
options include Microsoft Office 2007 and 
Microsoft Works 8.5. 

The out-of-box experience was very good, 
and the system was up and running in about 
a minute. After an initial fan burst when the 
unit is first powered on, the fan runs quietly, 
utilizing HP’s cooling algorithms to control 
fan speed and on/off. One pleasant surprise 
considering that this is a value PC is the 
unit’s dual-monitor support. The unit sup¬ 
ports ATI’s SurroundView technology, which 
essentially lets you add an ATI PCI Express 
graphics card. The system simultaneously 
drives monitors from both the PCI Express 
card and the integrated graphics adapter. 
Although my test system didn’t have Vista 
loaded, the integrated adapter is compat¬ 
ible with Vista’s new Aero interface. As you 
would expect, when running average office 
tasks the system performed well. 

If you’re looking for a basic value-ori¬ 
ented business system, I recommend the 
dx2250. Its low cost combined with good 
performance makes it a great choice for 
typical office tasks. ^ 

InstantDoc I D 97321 
— Michael Otey 
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One pleasant surprise considering that this is a 
value PC is the unit’s dual-monitor support. 



















SUMMARY 


LG Flatron Monitor with DisplayLink USB 
Multi-Monitor Technology 


Y ou’re probably already aware of—or 
even already using—technology that 
lets you take advantage of more than one 
monitor to expand your monitor real estate. 
Typically, to hook up two or three monitors 
to a single system, you have to install more 
than one graphics card and ensure that you 
have proper cable connectivity—a hassle 
and an expense. Expanding your IT work¬ 
space across several monitors might seem 
hardly worth the effort. But what if you 
could do it all with a simple USB cable? 

For the past month, I’ve been testing 
DisplayLink’s USB-connected network- 
display technology, and I’m smitten. The 
monitor that DisplayLink sent me—an LG 
Electronics LG Flatron L206WU— is a 
20.5" LCD powerhouse with a maximum 
1680 * 1050 resolution that just pops from 
the screen. But it was after I plugged the 
monitor in with a USB cable and went 
through the easy configuration steps that I 
became truly enthused. 

The process of configuring multi-moni¬ 
tor computing with DisplayLink 
is straightforward. 

You hook up 
your additional 
display(s) and 
access the Display 
Properties dialog 
box by right-click¬ 
ing the desktop. 

On the Settings 
tab, you’ll see 
new options for 
managing more 
than one moni¬ 
tor. You can configure mir¬ 
rored settings or choose 
to expand your desktop 
to take advantage of the 
extra real estate. The LG Flatron L206WU 
monitor came equipped with DisplayLink’s 
Plug & Display 4.1 software, which sat in 
the monitor’s flash memory, automatically 
installing itself when I connected it via USB 
to my system. I plugged the device in, and 
the system instantly recognized it with the 
familiar Found New Hardware chime. Then, 


self-installation through the straightforward 
wizard followed. Almost instantly, I had two 
working monitors and a doubled display 
environment. 

The DisplayLink solution uses several 
components: The company’s proprietary 
Virtual Graphics Card (VGC) software runs 
on the PC and communicates with the PC’s 
graphics API, taking input from the API and 
translating it into a high-performance, low- 
latency DisplayLink protocol for communi¬ 
cation across the USB 2.0 interface. The 
VGC software requires no special hardware 
in the PC and runs like a standard Win¬ 
dows driver. A Hardware Rendering Engine 
(HRE) ASIC chip is embedded in the moni¬ 
tor, taking its input from the VGC software 
and converting it back to uncompressed 
pixels for display. 

I let the solution run on my desktop, and 
the experience was top-notch—except for 
a few applications for which USB display 
was limiting. I typically used productivity 
software such as 
Microsoft Word on my 
primary display and 
dragged other soft¬ 
ware windows—such 
as my email Inbox 
and Microsoft Inter¬ 
net Explorer (IE) 
window—over to the 
LG Flatron L206WU 
display. I also realized 
huge time savings 
while multitasking 
the monitors with 
multiple applica¬ 
tions—for example, copying 
data from app to app across 
the screens. 

I never once experi¬ 
enced any lag in typical office-environ¬ 
ment tasks. I tried quickly opening and 
closing software, dragging and dropping, 
and everything worked smoothly—instan¬ 
taneous keyboard/mouse feedback. And 
being accustomed to an old HP workhorse 
CRT monitor, the graphics on the LG 
Flatron L206WU monitor blew me away. 


LG Flatron Monitor with 
DisplayLink USB 
Multi-Monitor Technology 

PROS: Unprecedented USB convenience; 
plug-and-play setup; instantaneous keyboard/ 
mouse feedback when opening and closing 
software and dragging and dropping; permits 
daisy-chaining as many as five monitors 

CONS: Some lag with intensive tasks such 
as HD video 

RATING: 

PRICE: $529 

RECOMMENDATION: For business users 
needing an easy-to-set up multi-monitor solu¬ 
tion, DisplayLink’s DL-160 chip technology 
and Virtual Graphics Card software in the LG 
Flatron L206WU monitor offer high image 
quality, no lag, and the convenience of plug- 
and-play setup. 

CONTACT: LG Electronics • www.lge.com 
DisplayLink • www.displaylink.com 


Everything was sharp, and colors were 
realistic and vibrant. 

Moving to more intensive tasks, how¬ 
ever, I did experience lag. I tried an online 
video game and experienced minor screen 
jitters. I tried several video snippets, which 
worked well until I amped up to HD video, 
which caused problems. The inherent limi¬ 
tation of the technology is that intensive 
tasks consume a lot of processor power, 
leaving very little for the VGC software. As 
long as you understand that you won’t (for 
now) be enjoying HD video and full-screen 
3D games on a USB-connected display, 
your experience will be phenomenal. Con¬ 
sidering these limitations, DisplayLink’s 
solution is particularly suitable for busi¬ 
ness tasks, but it also has potential for 
IT scenarios. Imagine sitting at your desk, 
troubleshooting four or five user desktops on 
separate screens (DisplayLink permits daisy- 
chaining as many as five), all simultaneously 
manageable. If you try DisplayLink’s network 
display technology, you’ll never go back to a 
single-monitor setup again—particularly when 
all it takes to set up a panoramic, multi¬ 
monitor environment is a USB cable. ^ 

InstantDoc ID 97379 
—Jason Bovberg 
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PC-to-Laptop Synchronization Tools 

How important are ease of use, automation, customization, and 
conflict-resolution nimbleness to your environment? 


I f you have users who work from multiple computers 
and need to synchronize, manage, and store files and 
folders across these computers to stay updated and 
organized, you understand the kind of chaos that can ensue 
if you don't give those users an easy-to-use, effective sync 
solution. You probably need to synchronize multiple com¬ 
puters as well, for personal or professional use. A myriad of 
laptop and PC synchronization solutions exist are available 
to help you, from the simple to the complex, from the free to 
the costly. In this buyers' guide, I take a look at synchroniza¬ 
tion tools and talk about what you need to consider when 
you're considering a solution. When you're ready to choose 
a product, this article's table—which lists some popular 
synchronization solutions and their features—should be a 
big help with your research. 

How Synchronization Tools Work 

Many users first encountered the notion of file synchro¬ 
nization when they started using a PDA and needed to 
synchronize its data on their PC. But synchronization has 
become an essential facet of the entire business environ¬ 
ment, regardless of hardware type. Although synchroniza¬ 
tion remains a vital need for mobile users, this buyers' guide 
concentrates on laptop and PC synchronization. 

Synchronization tools generally use two-way sync, in 
which the system copies files between at least two locations. 
One-way sync is actually a form of mirroring, in which the 
system copies files to a target location but doesn't copy 
them back in the opposite direction. With two-way sync, 
you'll find the most current version of a file at both loca¬ 
tions, no matter where it was last modified. 

Synchronization software typically uses algorithms 
that analyze file attributes, size, and date/time stamps to 
determine how or if a file has been changed. If the software 
detects no difference between files, it takes no action. 
Some software requires an administrator or user to manu¬ 
ally resolve conflicts between file changes, which can be 
annoying if many files or many file changes are involved. 
Many solutions now typically use rule sets to simplify the 
conflict-resolution process and reduce the time necessary 
for an administrator to review the conflicts. 

Sync or Swim 

It might seem self evident, but it bears stating that ease 
of use is an essential quality in a synchronization tool— 
whether it's for your IT staff or your users. People don't have 
the time to learn yet another complicated new tool. If your 

www.windowsitpro.com 


synchronization tool is difficult to use, it will be more of time 
waster than a time saver. It's also helpful if the GUI is simple 
and offers fast visual information. Sophisticated users might 
want the option of using the command line—some tools do 
offer such functionality, although most don't. Also, consider 
what types of files (e.g., documents, spreadsheets, database 
files, Outlook PST files) you and your users need to synchro¬ 
nize—for example, some tools might synchronize Microsoft 
Excel files but not PST files. 

Another feature you might want to consider is the solu¬ 
tion's conflict-resolution process. You want the product to 
be able to detect conflicts in which a file has been changed 
on one or more sources. If your solution doesn't detect 
conflicts, you might end up losing files during the overwrite 
process. Is the conflict-resolution screen easy to read and 
quick to navigate? Or does it require multiple clicks within 
multiple dialog boxes to resolve a single conflict? If you have 
a single conflict, a somewhat complicated conflict-resolu¬ 
tion screen might not seem problematic, but if you have 
dozens of conflicts to resolve, you might find yourself (or 
your users) spending more time than you want resolving 
conflicts. 

If your users are otherwise occupied or don't want to 
have to think about synchronization, the ability to schedule 
synchronization can be helpful. However, you'll probably 
also want to have the option of on-demand synchroniza¬ 
tion. 

Your users will thank you if you provide a solution 
that offers a preview window so that they can review any 
changes to be made before the changes are executed. You 
might also want the option to include or exclude certain 
files during the synchronization process. A solution that 
offers logging and reporting features might help you keep 
an eye on the process and troubleshoot any problems. 
Finally, for those of you who are conscious about security, a 
sync tool that retains the security encryption of synced files 
can be useful. 

Types of Solutions 

The buyers' guide table on the following pages focuses on 
third-party tools that are readily available for a relatively 
inexpensive price. Many of the tools come from software 
companies that specialize in synchronization tools. You 
might also want to take a look at the numerous free prod¬ 
ucts that are available. See the Web-exclusive sidebar "Free 
to Sync" (www.windowsitpro.com, InstantDoc ID 97335) 
for more information about such solutions. 

InstantDoc ID 97334 
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Buyer’s Guide I Synchronization Tools 


Product 

Vendor 

Price 

What It 

Where It Syncs 

When It Syncs 

Windows OSs Supported 

Ability to Include/ 



Per 

License 

Syncs 




Exclude 


Beyond Compare 

Scooter Software 
www.scootersoftware 

.com 

$30 

Files, folders, 
directories, 
file shares, 

FTP servers 

Desktop and laptop, exter¬ 
nal hard disk, USB key, 
read-only comparison of 
DVD/CD-ROM, server to 
server, server to workstation 
(by network drive or FTP), 
one to one 

On-demand sync 
in the GUI, sched¬ 
uled sync support 
for scripts using 
the Windows Task 
Scheduler 

Windows Vista, Vista x64 (as 
32-bit application), Windows 
Server 2003, Windows 2003 
x64 Editions (as 32-bit app), 
Windows XP, XP Professional 
x64 Edition (as 32-bit app), 
Windows 2000 and earlier 

Yes, can include/ 
exclude by name, 
date, and attributes 
(read-only, hidden, 
system) 


FolderClone 
Professional Edition 

Salty Brine Software 
www.saltvbrine.com 

$44.95 

Files, folders, 
directories 

Desktop and laptop, external 
hard disk, USB key, DVD 
and CD-ROM sync if CD- 
ROM/DVD writing software 
is available on the computer 
and Drive Letter Access 
(DLA) is available, server to 
server, server to worksta¬ 
tion, one to many 

On-demand and 
scheduled sync 

All Win32 OS 

Yes, also wildcards 
are supported; can 
ignore system/ 
hidden files and 
folders 

www.folderclone.com 


PCsync 

Laplink Software 
www.laplink.com 

$39.95 

Files, folders 

Desktop and laptop, external 
hard disk, USB key, DVD and 
CD-ROM, server to server, 
many to one 

On-demand and 
scheduled sync 

Vista, Windows 2003, XP, 
Win2K 

Yes 


PeerSync 

Workstation 

Peer Software 
www. peersoftware 
.com 

$149 

Files, folders, 
directories, 

NT securities 

Desktop and laptop, external 
hard disk, USB key, mobile 
device, DVD and CD-ROM, 
servers, one to many, many 
to many, many to one 

On-demand, 
scheduled, 
Enhanced Real- 
Time Monitoring 
(for local source 
directories) 

Windows 2003, XP, Win2K, 
and soon Vista 

Include and exclude 
files and folders 
through full path 
or file or folder 
name and use of 
% sign 


Save-N-Sync 

Corporate 

Peer Software 
www. peersoftware 
.com 

$79 

Files, folders, 
directories 

Desktop and laptop, external 
hard disk, USB key, mobile 
device, DVD and CD-ROM, 
servers, one to many, many 
to many, many to one 

On-demand, 
scheduled, 
Enhanced Real- 
Time Monitoring 
(for local source 
directories) 

Windows 2003, XP, Win2K, 
and soon Vista 

Yes 


SyncBackSE 

2BrightSparks 

www.2BrightSparks 

.com 

$30 

Files, folders 

Sync between drives, NAS 
devices, external drive, USB 
key, network drive, network 
shares, and FTP servers; 
syncs servers and worksta¬ 
tions, one to one 

On-demand, 
scheduled, and 
continuous sync, 
and whenever 
files are changed 

Vista, Windows 2003, XP, 
Win2K 

Yes, can include/ 
exclude explicitly 
and via filters 


SynchronEX 

Xellsoft 

www.xellsoft.com 

$20 

Files, folders 

Any kind of local file sys¬ 
tems, FTP, Secure FTP 
over SSL/TLS, Secure 
WebDAV/WebFolders over 
HTTPS/SSL 

On-demand, 
scheduled, loop/ 
periodic, and 
custom scripting 
(Python) sync 

Vista, Windows 2003, XP, 
Win2K 

Yes, with patterns 
and wildcards for 
files and folders, 
relative and 
absolute 


SyncLogic 

IPWorx 

www.ipworx.com 

$16 

Files, folders, 
directories, 

UNC shares 

Syncs between any two 
directories, whether direct 
drive letter or UNC share; 
can be USB, internal, exter¬ 
nal, or network share; allows 
multiple destination directo¬ 
ries for master/multi-slave 
file sync 

On-demand sync; 
can use GUI 
interface to add 
jobs to Windows 
Scheduler 

Vista, Windows 2003, XP, 
Win2K and earlier; Win9x 
platforms lack Windows 
Scheduler service so there 
are no scheduled jobs from 
Win9x platforms though you 
can use third-party schedul¬ 
ers. 

Includes all files by 
default; allows 
exclusion by multiple 
file extensions 


ViceVersa PRO 2 

TGRMN Software 
www.tgrmn.com 

$59.95 

Files, folders, 
directories, 
file shares 

Desktop and laptop sync, 
external hard disk, USB 
key, mobile device, DVD/ 
CD-ROM, server to server, 
server to workstation, one 
to many, many to one, many 
to many 

On-demand, 
scheduled, and 
continuous sync; 
runs as soon as 

a connection 
becomes available 
(e.g., connecting 
laptop to a LAN); 
add-on called 
VVEngine pro¬ 
vides advanced 
scheduling 
options 

Vista, Windows 2003, XP, 
Win2K 

Yes, can include/ 
exclude based on 
name, date, size 



EDITOR’S NOTE: Some vendors that you might expect to see in this Buyer’s Guide said they didn’t have a product that exactly matched the criteria or didn’t 
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Syncs Locked 

Versioning 

Ability to Interface 

Retains File Encryp¬ 

Network 

Preview 

Automated 

Ability to 

Reporting 

Logging 

and Open Files 

Capabilities 

Track 

tion and File Com¬ 

Use 

Options 

Conflict 

Manually 

Features 

Features 



Deletions 

pression 



Resolution 

Copy and 
Delete 





Locked files—no 
Open files—in 
some cases 

No 

Propagates 

deletes 

using 

Mirror 

command 

Runs interac¬ 
tively through 
GUI. 

Runs scripts 
from the com¬ 
mand line. 

Preserves file- 
modified timestamp; 
preserves EFS file 
encryption, but not 
folder encryption; 
doesn’t preserve NTFS 
file compression 

LAN, 

WAN, VPN 

Yes 

No 

Yes 

Yes 

Yes 


Most open/in¬ 
use/locked files 
can be copied 
using propi- 
etary Locked 

File Manager. 
(Outlook PST and 
some system files 
can’t be copied.) 

No 

Yes 

GUI 

Yes 

Any net¬ 
work con¬ 
nection 

Yes 

Yes 

Yes 

Yes 

Yes 


Locked files—no 
Open files—no 

Yes 

Yes 

GUI 

Yes 

LAN, WAN 

Yes 

Yes 

No 

Yes 

Yes 


Locked files- 
yes 

Open files—yes 

Yes; user can 
configure 
how many 
file revisions 
to keep and 
for how long, 
allowing 
rollback to 
previous file 

Yes; dele¬ 
tions can 
be tracked 
in a one¬ 
way mode 
or bi- 
direction¬ 
ally, and 
archived 

GUI and com¬ 
mand line 

Yes 

LAN, 

WAN, VPN 
through 
network 
share or 
TCP (with 
TCP Wan 
connector 
add-on) 

PreSync 
report gives 
information 
as to what 
would have 
happened if 
the specific 
job was run 

Yes 

Yes, one¬ 
time sync 
scans from 
a desktop 
shortcut or 
from GUI 

Yes, admin¬ 
istrative 
summaries 
and email 
reporting 
can be con¬ 
figured for 
individual 
folders/jobs 

Yes 


Locked files- 
yes 

Open files—yes 

No 

Yes, one¬ 
way track¬ 
ing 

Yes 

No 

LAN, 

WAN, VPN 
through 
network 
share 

No 

Yes 

Yes, one¬ 
time sync 
scans from 
a desktop 
shortcut or 
from GUI 

Yes 

Yes 


Locked files- 
yes 

Open files—yes 

Yes 

Yes 

GUI, but can 
be run via 
command-line 
parameters 

Optional 

LAN, 

WAN, VPN 

Yes, and 
files can be 
compared 
visually 

Yes 

Yes, and can 
override and 
change the 
decisions 
made 

Yes (HTML 
format log 
file) 

Yes 


Locked files—no 
Open files—no 

Yes—X VS 
history track¬ 
ing 

Yes 

GUI and com¬ 
mand line 

Yes 

LAN and 
WAN 
protocols 
(FTP, 

SFTP, 

DAV) 

Simulation 

mode 

Yes 

Yes 

Graphical 
and textual 
summaries, 
scripting 

Yes 


Locked files—no 
Open files—no 

No 

Yes, via 
the Clean 
Destination 
option 

GUI and com¬ 
mand line 

No 

LAN, 

WAN, VPN 

Yes, as well 
as ability to 
create pre¬ 
defined jobs. 

No 

No 

No 

Yes 


Locked files- 
yes 

Open files—yes 

Yes 

Yes 

GUI and com¬ 
mand line 

No, for native 

Windows; ViceVersa 
PRO provides an 
optional compression 
and encryption feature 

LAN, 

WAN, 

VPN; 
to work 
across the 
Internet, 
requires a 
VPN tun¬ 
nel 

Yes 

Yes 

Yes 

Yes, and 
can send 
email with 
sync/ 
backup 
summary; 
WEngine 
add-on also 
reports 
results via 
RSS feed 
to any 
machine on 
the network 

Yes 


respond to our requests for information about their products. 
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UC products blend voice, IM, email, and conferencing, letting users access these 


Unified Communications Duo: 


□CS 200/ and Exchange 2007 

by Paul Robichaux 


U nified communications (UC) is yet another in an end¬ 
less parade of technology buzzwords that you know 
must be important, since it's popping up on technol¬ 
ogy sites all over the Web, but you're not quite sure 
what it means—or how it will affect your IT job duties. 
If you're confused about UC, you're not alone: Micro¬ 
soft, Cisco Systems, IBM, and other key players have their own definitions 
for UC, and those definitions sometimes differ considerably. As you 
might expect, Microsoft's definition of UC encompasses several of its own 
products—in particular Exchange Server 2007 and Microsoft Office Com¬ 
munications Server (OCS) 2007. To help you make sense of Microsoft's UC 
strategy, we'll look at some key aspects of that strategy, including various 
UC scenarios and the products that Microsoft envisions for them, as well 
as UC deployment decisions you'll need to make in the future. 


UC, on the other hand, is a much broader term whose definition 
depends on the vendor you ask. Microsoft defines UC as a way to let 
people communicate by uniting desktop telephones, Time-Division 
Multiplexing (TDM) and IP PBX systems, the Internet, voicemail, 
and faxes using a broad variety of clients and services. Perhaps 
more important, Microsoft places great emphasis on the fact that 
OCS—Microsoft's IM, voice, conferencing, and presence server and, 
with Exchange 2007, the cornerstone of its UC offerings—offers "soft¬ 
ware-powered VoIP." So, rather than trying to convince companies to 
dump their existing PBX systems and deploy OCS, Microsoft's angle 
is to point out that OCS adds advanced VoIP functionality to comput¬ 
ers, so that you can complement (and, of course, selectively replace) 
your existing telephony capabilities. As a bonus, the upgrade costs for 
deploying future versions of OCS could well be lower than the costs of 
replacing or upgrading a PBX, especially if the PBX in question is an 
existing TDM system. 


UM and UC 

First, let's talk about the difference between unified messaging (UM) 
and UC. The former generally refers to the ability to store and process 
voice and fax messages in the same containers, using the same clients, 
as regular email. Microsoft calls the voicemail and fax functionality in 
Exchange 2007 "UM," and Cisco and Adorno (two competitors in the 
market for Exchange-based voicemail systems) use the same term for 
their products. Other PBX vendors, including Nortel Networks, have 
long offered UM solutions specific to their PBX systems. The difference 
is that the current generation of UM products are IP centric instead of 
being tied to specific PBX models. 



UC Components 

In its UC vision, Microsoft positions Exchange as the UM component, 
handling voicemail, fax, and telephone access to messaging. OCS is the 
component that offers IM, conferencing, presence, and voice services. 
Microsoft is aiming OCS 2007 and Exchange 2007 at these primary 
scenarios: 

• deploying Exchange 2007 for UM: In this scenario, OCS needn't be 
deployed, although Microsoft pitches OCS presence and IM as a 
natural complement to Exchange. 


28 Windows IT Pro DECEMBER 2007 


We’re in IT with You 


www.windowsitpro.com 















Unified Communications Duo: 

OCS 2007 and Exchange 2007.p. 28 

IT Pro Hero: New Belgium Brews a Potent 
Unified Communications Combo p. 29 

Exchange’s Evolving Strategy.p. C 

Building a Business Case for UC.p. 43 


services through a single interface 


• providing Web conferencing: In this scenario, Microsoft positions OCS 
as a drop-in replacement for hosted conferencing services, such as 
Microsoft Office Live Meeting or Cisco's WebEx—which, by the way, 
just happens to also deliver presence and IM. Microsoft previously 
tried its hand at conferencing with the Exchange 2000 Server Confer¬ 
encing Server product, which never caught on in the marketplace. 

• using OCS to provide voice and conferencing alongside existing PBX 
systems: In this scenario, users in an organization can use Microsoft 
Office Communicator 2007 (Microsoft's UC client) as an OCS client 
while still using their ordinary desktop phones. 

• using OCS to provide voice services instead of a traditional PBX: In 
this scenario, some users in an organization move to using IP tele¬ 
phones and Communicator as replacements for their existing desk 
phones. There are several specialized PBX features (such as analog 
fax and those huge multi-button phone consoles often seen at recep¬ 
tion desks) that OCS doesn't handle, so in this scenario there may 
still be PBX-based devices. 

In all these scenarios, Microsoft's strategy is to point out the tangible 
business value that can come from enhancing communication within an 
organization. Each scenario offers its own advantages from this viewpoint. 
All the scenarios benefit from the fact that OCS and Exchange rely on 
Active Directory (AD) for authentication and authorization, so there's a 
single unified directory for finding contacts, making appointments, and so 
on. Additionally, integration of Exchange, OCS, and other products (as I'll 
discuss shortly) form a key part of Microsoft's UC strategy moving forward. 
Because you can deploy OCS and Exchange independently of one another, 
one key aspect of Microsoft's strategy to move customers along into UC is 
to get people who are now using one of these products to try the other. 


Multiple Clients = More Ways to Do UC 

In the old days of email, you had email clients that did nothing but email. 
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New Belgium Brews 
a Potent Unified 
Communications 
Combo 

IT pros Jay Richardson and Travis 
Morrison tell how integrated email, 
presence, conferencing, and VoIP 
will support the 
craft brewer’s 
growth 

BY ANNE GRUBB 


| rom its start 16 
years ago, New 
Belgium Brew¬ 
ing Company 
(located down 
the road from 
Windows IT Pro headquar¬ 
ters in Loveland, Colorado) 
has been ahead of the curve 
in implementing brewing and 
manufacturing technologies. 

Nevertheless, New Belgium IT 
director fay Richardson and 
senior systems administra¬ 
tor Travis Morrison hadn't 
planned to be early adopters 
of unified communications 
(UC), a technology that's argu¬ 
ably still "emerging." But while 
upgrading the company's 
phone system to VoIP, they saw an opportunity to implement Micro¬ 
soft's UC product suite—Exchange Server 2007, Office Outlook 2007, 
Office Communications Server (OCS) and Office Communicator 
2007, and Live Meeting—to enable employees to more easily interact 
with each other and with business partners. I recently got a firsthand 
look at the new UC system, set to go live in November, and talked with 
fay and Travis about the system's business benefits. 


■■■■ ■■■■■ III 

PHOTOGRAPHS OF JAY RICHARDSON AND TRAVIS MORRISON BY TIM O’HARA 
















□CS 2007 and Exchange 2007 

Q: Why did you consider a 
UC solution? 

JR: A year ago, we recognized that we were reaching the lim- f 

its of our current phone system. We had to rely on a service 
provider in Denver [to maintain and repair the system]. That 
pointed us in the direction of VoIP, and after a fair amount of 
due diligence, we landed on a Cisco Systems solution. 

At about the same time, we decided to move from a 
Novell- to a Microsoft-based infrastructure. As we learned 
about new Microsoft products, like Exchange 2007 and OCS 
2007, we realized that a lot of the functionality we hoped 
to enjoy with the new phone system would be enhanced 
if we migrated to the Microsoft environment. So in July, we 
partnered with 3t Systems to migrate to Microsoft. 

It hit us that with Communicator, we've already put a 
softphone on every PC in our organization. It was appealing 
to us to avoid introducing yet another tool to co-workers. We 
certainly didn't set out to be an early adopter of Microsoft's 
UC platform, but the more we started to learn about our 
new Microsoft environment, the more it made sense to at 
least give it a shot. 

Q: What tasks are users currently doing that 
UC would make easier? 

JR: [About one-third] of our employees are remote workers in our sales 
force who use notebook PCs. [IT has to keep in mind] that our company's 
growth over the next five years is essentially going to come from greater 
sales capabilities. The bulk of our new employees are going to be remote 
workers. So we need to have a communications infrastructure that will 
make it easy for them to stay connected with each other. 




this information. From 

a user standpoint, it means the same information is available in many 
different places. For example, Travis sent me an email that said, “Click 
the orb next to my name." The orb indicated his presence. And after I 
clicked the orb, I had the option to reply with an IM, start an impromptu 
meeting with him, call him on his PC, or call him on his mobile phone. 
One click presented all those options, coming out of AD or my own 
Outlook contacts. 


TM: I think what we're really gaining from the level of integration [in 
Microsoft's UC products] is how quickly an IM can escalate into a voice 
call. Then you can video in, open Live Meeting, look at a document [via 
Communicator], and everyone's looking at the same thing. We also use 
Live Meeting Server, which gives us the ability to host our own virtual 
meetings. And once we've implemented our OCS 2007 Edge server role, 
we'll be able to do enterprise IM and host our own Live Meetings for 
people outside of the company. 


TM: One of the best examples is when Jay was at a conference, and we 
had an issue with a server. He VPN'd in, started a Communicator call, 
enabled video, shared his desktop via a Live Meeting, did a Remote 
Desktop into the server here, and we both looked at the same desktop. 
We discovered the issue, fixed it, and were done. 

Q: What problems have you encountered in 
the UC migration? 


JR: Microsoft's softphone with Office Communicator ties into your con¬ 
tacts in Outlook and Global Address List (GAL) details that are in Active 



Directory (AD), both of which can be accessed from 
Windows Mobile devices. From an IT administration 


What could be better than fine beer and top-notch technology? New Belgium 
Brewing Company has plenty of both. Read Jeff James’ blog post about how 
the craft brewer uses technology not just to brew great beer, but to keep its 
environmental footprint small—at www.windowsitpro.com/Blog/index 
.cfm?action=blogindex&DepartmentlD=l075. 


TM: Most of our hurdles have been related to integration between OCS and 
the Cisco system. Furthermore, as expected, there's been a limited amount 
of documentation and experienced technicians to reference. Thanks to col¬ 
laboration between Microsoft and 3t, we continue to make progress. 
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Separate applications handled calendaring. 
Gradually those technologies converged into 
single applications, and over time, other com¬ 
munications and data types (such as RSS feeds 
and public folders) have been added to email 
clients. UC represents a new wave of services 
that don't fit comfortably into the mold of email 
clients like Microsoft Office Outlook and Lotus 
Notes; UC services are real time, and they offer 
communication types that might not directly 
match the existing paradigms of how we work 
with email clients. 

That's an opportunity rather than a prob¬ 
lem: Microsoft is delivering several new cli¬ 
ents that provide UC voice and conferencing 
functionality on desktop, laptop, mobile, and 
browser-based clients. Communicator 2007 is 
the premium client for conferencing and voice 
on Windows Vista/XP/2000 systems; Microsoft 
Office Communicator Web Access provides IM 
and presence capability on a variety of Web 
browsers (including, surprisingly, Safari on 
Mac OS X and Firefox on Windows and Mac 
OS X); and Microsoft Office Communicator 
Mobile provides similar functionality on Win¬ 
dows Mobile devices running Windows Mobile 
5.0 or Windows Mobile 6. 

On top of the software-based clients, OCS 
2007 supports a number of "hard phones": 
devices that look like phones (or parts of 
phones) but use Communicator 2007 or OCS 
2007 for voice transport. For example, the 
"Catalina" class of devices is a USB handset that 
you pick up and use like a regular phone, but 
instead of a keypad you use Communicator to 
locate people and place calls to them. (You can 
find more information about Polycom's Cata¬ 
lina-class devices at www.polycom.com/usa/ 
en/support/voice/cx/communicator_cx200 
.html.) Because OCS has a flexible call-routing 
engine, OCS users can freely place calls to PBX 
extensions or to outside users who aren't using 
OCS. A typical use case might be for me to use 
Communicator on a laptop to place a call to an 
internal user at my company, then use Com¬ 
municator to conference in a third party on a 
cell or desk phone. I could probably do these 
things with other tools, but if you've ever tried 
to look up a number while in a phone call on 
your cell, then conference that person in, you'll 
quickly see that the Communicator experience 
is worlds better than the button-mashing pro¬ 
cess required on most PBX phones. Of course, 
this improvement comes at a cost of additional 
deployment and implementation details. 

The only problem with this approach is 


that the provisioning process for these new 
clients is still a big question mark. For example, 
Microsoft to date hasn't released any informa¬ 
tion on best practices for deploying IP phones 
designed for Communicator. This isn't surpris¬ 
ing, given that the phones won't start shipping 
in quantity until late 2007 from Polycom and 
LG-Nortel, but most organizations want to see 
detailed deployment information before they 
make any deployment commitments. 

□CS and Exchange 
Integration 

Microsoft has historically made a big deal 
out of the fact that its products integrate well 
together. Sometimes this is just marketing 
noise, but sometimes that integration really 
does make a big difference in how solutions 
can be designed and deployed. The integration 
between OCS and other products in Micro¬ 
soft's collaboration and communication lineup 
is a good example. You can deploy Exchange 
2007 or OCS 2007 by itself, but in concert the 
products provide some extra capabilities: 

• Exchange can send missed-call and voice- 
mail notifications for calls originated by 
OCS, so that no matter where a call origi¬ 
nates or terminates—OCS or PBX—you get 
consistent notification. 

• Exchange can send a message-waiting indi¬ 
cation for OCS clients, so that you get visual 
notification of available voicemail messages. 
This is a neat feature that typically requires 
third-party products. 

• OCS automatically uses the out-of-office 
(OOF) message text you set in Exchange, 
so that you can set your OOF text once and 
have it reflected in both email and voice/ 
IM/presence. 

• As soon as you install OCS, Windows Share- 
Point Services team sites and document 
libraries can display presence information 
about users in a library, and you can take 
actions (such as placing phone calls and ini¬ 
tiating IM or conference sessions) directly 
from within SharePoint sessions. 

• Microsoft Office Outlook 2007 and 2003 
display presence information for contacts 
in your organization's AD, as well as for 
selected external users, and you can make 
calls using OCS for any contact that has a 
phone number defined. 

There are lots of other integration touch 
points: Microsoft has clearly learned from its 
previous efforts to integrate Exchange Server 


2003 and Microsoft Office Live Communica¬ 
tions Server 2005. Microsoft's strategy in this 
area is to make UC capabilities broadly available 
through Microsoft's client and desktop prod¬ 
ucts, and to take full advantage of individual 
server products while doing so. From a deploy¬ 
ment standpoint, you should bear in mind that 
it's simpler to deploy Exchange 2007 first, then 
add OCS, rather than the other way around, 
because of the requirement to match UM dial 
plans and OCS location profiles. It's possible to 
perform the schema updates required for OCS 
without installing the product; if you think you'll 
eventually want to install OCS, you should con¬ 
solidate the schema updates so that you only 
have one update and replication cycle. 

Dial by Name, 

Not by Number 

Most people use DNS names to find comput¬ 
ers on the Internet. Sure, you could use IP 
addresses, but the whole point of having the 
DNS system is to have a namespace that's 
easier to use. That raises the legitimate ques¬ 
tion of why we have to use telephone numbers 
to reach people! For example, on most modem 
cell phones you can dial a contact by name 
or by voice. However, that capability is useful 
only if you have the right phone number in the 
first place, which is where having a single stan¬ 
dardized enterprise directory (AD in this case) 
comes in handy. Assuming you provision your 
directory well, your users' contact numbers will 
be available so that you can use the dial-by- 
name functionality in Exchange 2007's Outlook 
Voice Access (OVA) and various OCS clients. 

However, there's a bigger departure from 
convention in the wings. Microsoft has realized 
that when you want to contact someone, you 
don't care what number you have to call—you 
just want to reach the person. This desire can 
be satisfied in two primary ways: 

• OCS supports call forking, better known 
as simultaneous ringing. When you call 
someone's desk, for example, OCS can also 
ring their cell and home phones so that they 
hear the incoming call no matter where 
they are. 

• Using Communicator, you can redirect 
incoming calls to another number. Say you're 
just about to leave your office for a meeting 
when a call comes in. With a single click, you 
can redirect it to your cell phone. The caller 
is never aware that the call's been redirected, 
but when your cell rings you can answer it, 
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walk out of your office, and get on with your 
business. (You can also send calls directly to 
voicemail, a terrific feature in my book.) 

These two features mean that, for the caller, 
knowing which number to call becomes much 
less important. In addition, some of the new 
OCS phone hardware doesn't include anyway 
to manually dial numbers! For example, the 
Catalina-class devices are just handsets, as 
are the "Orca"-class wireless, cordless devices. 
(Find more information about Polycom Orca- 
class devices at www.polycom.com/usa/ 
en/support/voice/cx/communicator_cx400 
.html.) Because Communicator can dial any of 
the phone numbers associated with contacts 


the ability to edit their own phone numbers 
(and possibly other directory information) by 
using a product such as Ithicos Solutions' Direc¬ 
tory Update (www.ithicos.com) . 

Quality of Experience 

Quality of Service (QoS) is a networking feature 
that's supposed to allow isochronous traffic 
(traffic that's synchronized with or based on 
a timeline—for example, voice or video) to 
flow without interruption or degradation. QoS 
depends on network equipment and software 
that can tag network packets with information 
about the kind of data they carry. With appro¬ 
priate QoS policies and equipment, you should 


can still implement it on your network if you 
want). Instead, Microsoft's products focus on 
delivering high quality of experience (QoE), 
a measure that indicates how satisfied users 
are with the overall communications experi¬ 
ence. This is a good move on Microsoft's part 
for two reasons. First, the codecs used by 
OCS 2007 and Communicator 2007 are smart 
enough to adjust their encoding parameters 
according to the amount and latency of band¬ 
width available. Speech and video quality 
gradually degrade as the amount of bandwidth 
decreases, but you can get surprisingly good 
voice and video quality with as little as 64kbps 
of bandwidth. Second, Microsoft's products are 
closely integrated, so that features like click-to- 



in your contact list, you can start a call to some¬ 
one without having to dial a phone number; 
when you do place the call, the features I've 
described make it easy for the person you're 
calling to route the call appropriately. You can 
still enter a phone number manually using 
Communicator, using either an on-screen dial 
pad or by just typing the phone number itself. 

Of course, for these features to be useful, you 
have to actually populate your directory with 
the correct phone numbers. Exchange can use 
your personal contacts folder to look up phone 
numbers, but you'll probably want to consider 
updating AD to ensure that your employees 
have correct home and office numbers. In doing 
so, this might lead you to consider giving them 
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be able to ensure that voice or video traffic 
takes priority over file transfers, SMTP, or other 
protocols that aren't isochronous. However, 
QoS has some problems that have slowed its 
adoption. The most obvious is that to get any 
benefit from QoS, you have to implement it 
everywhere within your network; if you don't, 
non-QoS-equipped devices might affect the 
quality of voice traffic as they happily ignore 
QoS restrictions. Compounding this problem 
is the fact that you can't guarantee that QoS 
will be preserved across the Internet, making 
it difficult to guarantee adequate voice quality 
for users outside the firewall. 

Microsoft's approach to preserving voice 
quality doesn't use QoS at all (although you 


call and presence indicators are ubiquitous 
and easy to use. For most users, "easy to use" 
translates directly to "better QoE scores," and 
because Microsoft controls all the pieces of its 
solution, it's able to capitalize on its products' 
integration to improve QoE. 

The sound quality of IP telephony ses¬ 
sions is most commonly measured using the 
Mean Opinion Score (MOS), a single-number 
score that's supposed to express the perceived 
quality of the received audio. An MOS of 1 
is low; an MOS of 5 is the highest. Listeners 
are asked to rate audio in terms of its quality 
(how understandable or intelligible it is) and 
its impairment (ranging from unobtrusive to 
very annoying). All other things being equal, 
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if one UC system has a higher MOS score than 
another, it's reasonable to expect that users 
will be more satisfied with its voice quality. In 
a 2006 study by Psytechnics (www.psytechnics. 
com), Microsoft reported that the MOS scores 

for Communicator's RTAudio and RTVideo 
codecs beat the MOS scores of several com¬ 
peting codecs. However, the actual experience 
your users get will vary according to the quality 
of their connections and the sound hardware 
they use. Even with good voice quality, shout¬ 
ing into a laptop microphone doesn't give as 
good an experience as using a good-quality 
headset or external device, and you should 
factor the cost of such equipment into your 
deployment budgets. 


ware such as Geomant Enterprise Solutions' 
message-waiting software for Exchange to 
hardware such as Samsung's line of monitors 
with built-in cameras and microphones and 
Polycom's IP phones that work directly with 
Communicator. Because there are several dif¬ 
ferent clients that work with Exchange and OCS, 
the potential market for ISVs that sell products 
to enhance Exchange and OCS is expanding, 
and ISVs are taking notice. This same approach 
has worked wonders for Exchange. 

Try Before You Buy 

Over the last several years, Microsoft has thor¬ 
oughly embraced the concept of "try before 


a single OCS 2007 Standard Edition server to 
provide presence and IM to a pool of test users. 
Pilot and proof-of-concept projects for UC prod¬ 
ucts make good sense because these products 
often represent long-term strategic investments 
and should be treated as such. 

□CS and Exchange: Keys to 
Microsoft’s UC 

OCS 2007 and Exchange 2007 are core parts 
of Microsoft's product line. Exchange has 
grown to be more than a billion-dollar-a-year 
business, and the Unified Communications 
Group would no doubt like to see OCS join 
that exclusive club, too. Whether it will do so 
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UC Partnerships 

The launch of OCS 2007 was preceded by 
an unusually large number of partnership 
announcements. One of the reasons Exchange 
has become such a successful product is 
because there are hundreds of third-party 
companies developing software and solutions 
to extend and improve it. However, email 
essentially provides built-in interoperability; 
you don't have to worry about PBX interoper¬ 
ability, which kind of IP phones to buy, or other 
issues that have held back the deployment of 
UM and UC solutions. A number of vendors 
have introduced or announced products spe¬ 
cifically tailored to work with the UC features 
of OCS and Exchange; these range from soft- 


you buy." You can download trial versions 
of Exchange, OCS, and Communicator, and 
prebuilt sets of virtual machines are available 
for these products as well. This gives you an 
easy path to test out how the products might 
work in your environment and how your users 
might accept them. Microsoft's own consulting 
and sales organizations often offer proof-of- 
concept deployments as part of their initial 
sales approach because once users get a taste 
of the feature set, they immediately start finding 
ways to put those features to productive use. 
For example, you can deploy a single Exchange 
2007 server to act as a Mailbox and Client Access 
server, then let selected users test the new 
Exchange ActiveSync features, or you could add 


depends on how well Microsoft can execute 
its vision for software-powered VoIP as an 
adjunct to other forms of communication, 
and on whether companies are willing to 
deploy OCS in conjunction with Exchange to 
take full advantage of the integration points 
between the two products (and with other 
Microsoft products.) ^ 
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Let's leave the hardware where it is. 
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Introducing the software-based 
VoIP solution from Microsoft. It's a 
whole new way to look at telephony. 

As it turns out, that important 
move to VoIP isn't about ripping and 
replacing or big, upfront costs. That's 
because it's no longer about hardware. 

It's actually about software. 

That's right. Keep your hardware— 
your PBX, your gateways, even your 
phones. Add software. Software that 
integrates with Active Directory,® 
Microsoft® Office, Microsoft Exchange 
Server, and your PBX. Simply maximize 
your current PBX investment and make 
it part of your new software-based 
VoIP solution. 

Because what you have is good. 
What you have with the right 
software is even better. Learn more 
a t microsoft.com/voip 

Your potential. Our passion." 

Microsoft 
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Exchange’s 


Evolving Strategy 


An Exchange 
expert looks 
at where the 
product has 
been—and where 
it might be 
headed next 

by Tony 
Redmond 


M icrosoft developers are working on the code-named "Exchange 14," the successor to 
Exchange 2007 that we can expect to see in 2009. Exchange 2007 is the first version 
in the third generation of Exchange. (The first generation spanned Exchange 4.0 
to 5.5; the second spanned Exchange 2000 to 2003.) The next version of Exchange 
will build on Exchange 2007's architecture and won't introduce any major changes, 
such as becoming a 64-bit application or moving away from the current Jet data¬ 
base to use SQL Server. (The latter change was supposed to occur in a version code-named "Kodiak" and 
was scheduled to ship after Exchange 2003. Kodiak never appeared, and Microsoft produced Exchange 2007 
instead.) You can expect Exchange 14 to introduce some new features, but the majority will be bug fixes and 
incremental improvements to the product. Microsoft will also have to continue to increase the level of security 
and overall robustness found in the product. 

The version after Exchange 14 should appear in 2011 to 2012; with it, Microsoft has the opportunity to 
upgrade the server's architecture more thoroughly. Although 2011 seems a long time away, work has already 
begun to understand the technology trends that will exert an important influence over the Exchange devel¬ 
opment team. Given the current situation, competitive pressures, and what I call the "Exchange ecosystem," 
what are the major influences that are likely to form Microsoft thinking on the next versions of Exchange? Like 
all pundits, I have my own theories and favorite technologies. The six areas I think are the most important for 
Microsoft to focus on are: automation, virtualization, mobility, unified communications (UC), information 
management, and Software as a Service (SaaS). Let me share my view of Microsoft's evolving strategy with 
Exchange with you by beginning with a description of the Exchange ecosystem. 


It’s the Ecosystem, not Exchange 

Exchange sits in the middle of an ecosystem that has grown up around the application since Microsoft released 
Exchange 4.0 in 1996. It's difficult for any software product to gain success on its own. Even with its marketing 
might, Microsoft couldn't have sold more than 140 million licenses for Exchange without the presence of a 
huge number of third-party software companies that develop add-on products for Exchange. These develop¬ 
ers have stuck with Exchange even as Microsoft switched APIs and product directions quite dramatically over 
the past decade. In 1996, third-party products filled in gaps by providing such technologies as messaging 
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Figure 1: Exchange and PowerShell 


connectors to link Exchange to legacy email 
systems and fax. Today, the emphasis has 
shifted to areas such as information manage¬ 
ment and compliance. The change in focus 
represents new market opportunities that have 
opened up as technology evolves and as new 
gaps in Microsoft-provided functionality are 
exploited. 

Microsoft has a complex balancing act to 
perform as the Exchange development group 
considers what new features to add in a new 
release of Exchange. The engineers want to 
work on new and exciting challenges. The 
marketing team wants to keep Exchange ultra- 
competitive against other email servers such 
as Lotus Notes and open-source messaging 
servers. Microsoft's dilemma is that it can't 
add features in a way that discourages third- 
party software developers from adding to the 
Exchange ecosystem. If Microsoft takes over an 
area, eliminating it as an opportunity for third 
parties, the ecosystem will degrade. What hap¬ 
pened with antivirus is an obvious example. 
Microsoft bought Sybari, the industry antivirus 
leader, in 2005 and incorporated its technol¬ 
ogy—Forefront Security for Exchange—into 
the enterprise version of Exchange 2007. It's 
difficult for a third party to pit its technol¬ 
ogy against Microsoft, and the once-vibrant 
antivirus add-on market for Exchange is now 
deflated. Microsoft has argued that moving 
into the antivirus space was crucial for provid¬ 
ing out-of-the-box protection for Exchange. 
Given the amount of spam and threat-rid¬ 
den email that floats around the Internet, it's 
hard to argue against this. But my point is 
that Microsoft can't move into too many new 
areas too quickly without negatively affecting 
the Exchange ecosystem, and this necessity 
tempers some of the development options the 
Exchange team can choose. Let's now look in 
more depth at the six areas I believe Microsoft 
will need to focus on in its ongoing develop¬ 
ment of Exchange. 

Automation 

Customers have rightly criticized Microsoft in 
the past because Exchange lacked scripting 
capability to allow administrators to configure, 
maintain, and monitor servers. If you wanted 
to do something such as set the diagnostics 
level for a server, you looked through the GUI 
for an option on a property page or a com¬ 
mand button, and if a Microsoft engineer 
hadn't added the necessary option, you were 

38 Windows IT Pro DECEMBER 2007 


out of luck. Administrators could enable some 
options by editing the system registry, and it 
was sometimes possible to script some options 
through Windows Management Instrumenta¬ 
tion (WMI) or Outlook. All in all, it was a frag¬ 
mented and unsatisfactory situation, but the 
introduction of Windows PowerShell support 
in Exchange 2007 changed all that. As Figure 
1 shows, the Exchange development team 
uses PowerShell as a foundation for a set of 
nearly 400 commands that encapsulate the 
business logic for managing Exchange 2007. 
This logic used to be spread across the prod¬ 
uct and incorporated into the GUI, but now 
all of the management components consume 
the same set of commands and therefore the 
same business logic. The development team 
now has one place to make changes to update 
Exchange, and once made, changes are effec¬ 
tive across the entire product. 

But life isn't perfect yet. For one thing, it 
took Microsoft far too long to introduce a com¬ 
mon scripting language for Exchange. Some 
inconsistencies exist in syntax between differ¬ 
ent PowerShell commands, and because not 
all Microsoft development groups have incor¬ 
porated PowerShell into their product plans, 
you can't use native PowerShell commands 
to manage other parts of Windows that are 
important to Exchange, such as Active Direc¬ 
tory (AD) except through WMI. However, you 
can expect PowerShell to evolve over time to a 
point where you'll be able to perform the vast 
bulk of administrative tasks for a server and its 
applications through PowerShell commands. 

I expect Microsoft to continue to improve 
the PowerShell environment by adding com¬ 
mands and the ability to manage more com¬ 
ponents within the Exchange ecosystem. I also 
expect that third-party software providers will 
enhance PowerShell with tools such as IDEs 


and additional commands. Finally, the power 
of the Internet will make PowerShell scripts 
and other code snippets available to the com¬ 
munity for free reuse, in the same way people 
post code samples for other programming 
languages today. As the Exchange community 
becomes more proficient and inventive with 
PowerShell, you'll see many more examples 
posted in a form of open-source community 
for Exchange. 

Virtualization 

It was easy to configure servers for applications 
in the early days of Windows because all you 
had to do was follow the "one application per 
server'' rule. Some administrators still believe 
that Windows applications run best when 
they observe this guideline. It's certainly true 
that this creates a simple Windows infrastruc¬ 
ture that's easy to manage, but the approach 
is outdated and wastes valuable computing 
resources. Server technologies began to outrun 
the ability of applications to keep them fully 
utilized some years ago: Server benchmarks 
for Exchange 5.5 in 1999 scaled up to much the 
same number of mailboxes that we run today. 
Workload characteristics have become more 
demanding, and the latest generation of 64-bit 
servers can support huge workloads, yet most 
servers deployed in datacenters are relatively 
underutilized. 

Originally, Microsoft didn't support vir¬ 
tualized Exchange because the Exchange 
team hadn't had the opportunity to fully test 
Exchange running on a virtual server. Then, 
Microsoft said it would support a problem that 
occurred for Exchange on a virtual server if you 
could reproduce the problem on a standard 
server. Microsoft's current support policy is 
to support Exchange 2003 on a virtual server 
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if you run Microsoft Virtual Server 2005 R2 or 
later, but not VMware. (For more information, 
see the Microsoft article "Support policy for 
Exchange Server 2003 running on hardware 
virtualization software" at supportmicrosoft 
.com/kb/320220.) The situation for Exchange 
2007 is more complicated because Exchange 
2007 runs only on 64-bit servers and Microsoft 
doesn't yet supply virtual server software that 
supports 64-bit guest systems, a situation that 
is expected to persist until Microsoft releases 
a new hypervisor in Windows Server Virtu¬ 
alization, codenamed "Viridian," which isn't 
expected until at least 180 days after the release 
of Windows 2008. You can run Exchange 2007 
(including clusters) on VMware ESX Server as 
long as you're willing to live with the restric¬ 
tion that Microsoft won't support you in fixing 
a problem unless you can reproduce it on a 
standard server. 

Virtualization will become increasingly 
important as servers become more powerful, 
virtualization software becomes more capable, 
and pressure on reducing IT costs continues. 
Microsoft is behind VMware in terms of fea¬ 
tures and performance today, but you can 
expect that the company will dedicate the 
necessary amount of focus and investment to 
make Windows a solid virtualization platform. 
In five years or so, we'll likely run all Windows 
applications on virtual machines, and the 
notion of dedicating a server to one application 
will be obsolete. 

Mobility 

The major problem with mobility that enter¬ 
prises are facing today is controlling the costs 
involved with acquiring and managing mobile 
devices, including securing the personal and 
corporate data contained in the email, con¬ 
tacts, and other information that the devices 
hold. Devices connected to Exchange can be 
grouped into three major families: Research 
in Motion's (RIM's) BlackBerry, Symbian, and 
Windows Mobile. Many BlackBerry users con¬ 
nect to their mailboxes through the Black¬ 
berry Enterprise Server, which handles the 
communication between Exchange and the 
device through a Network Operations Center 
(NOC) managed by a telecommunications 
provider. Although many devices that run the 
Symbian OS connect to Exchange through the 
IMAP4 or POP3 protocols, Symbian licensed 
the ActiveSync protocol from Microsoft in 
March 2005, and some newer devices can use 


ActiveSync to connect to Exchange. ActiveSync 
is built in to Windows Mobile devices, which 
can use client-side and server-side software to 
synchronize a device with Exchange. Server- 
side ActiveSync is incorporated in Exchange 
2007 and Exchange 2003 SP2 and uses Over- 
The-Air (OTA) communication to synchronize 
email, calendar, tasks, and contact information 
through an encrypted HTTP Secure (HTTPS) 
connection. 

You can connect a baffling array of devices 
to Exchange today. Each device is likely to have 
its own feature set depending on the device, 
OS version, and applications that the device 
vendor bundles with it. Enterprises might try 
to set corporate standards for mobile devices, 
but many users view these devices as personal 
tools and purchase their own. What results is 
that administrators might be expected to sup¬ 
port requests to connect devices that they've 
never heard of to Exchange. The result of 
user-driven device choice is often poor sup¬ 
port, high user frustration, higher corporate 


expense, and low levels of security. Except for 
those corporations that take a hard line toward 
the devices they'll allow users to attach to their 
networks, the situation is unlikely to improve 
in the short term because analysts expect 
purchases of mobile devices to remain divided 
across the major device families. (See the side- 
bar "The Mobile Device Landscape" for a quick 
look at how market share for the three major 
device families is predicted to change over the 
next several years.) 

Mobile devices will continue to evolve rap¬ 
idly, and we can expect improved management 
capabilities for these devices in the upgraded 
versions within the 2009 to 2010 timeframe. 
Although Exchange 2007 includes a new ver¬ 
sion of ActiveSync that does a good job of syn¬ 
chronizing email, calendar, and tasks from user 
mailboxes with Windows Mobile devices, the 
surrounding management framework is weak. 
Microsoft is unlikely to engineer two com¬ 
peting products to manage Windows Mobile 
devices; over time, I expect that Microsoft's 



The Mobile Device 
Landscape 


F igure A shows mobile-device shipments in 2005 and 2010, as forecasted by IDC. 

Although Windows Mobile is expected to grow from shipping 6.1 million devices 
in 2005 to 22.1 million in 2010, Symbian sustains reduced but still substantial market 
leadership and is expected to ship 54.8 million devices in 2010. Research in Motion’s 
(RIM’s) BlackBerry will remain popular, especially in corporate email deployments, 
but will come under pressure from new devices and management applications, espe¬ 
cially in Windows environments. It’s worth noting that BlackBerry is a closed ecosys¬ 
tem that is supported by the cell operators who make money through the Network 
Operations Center (NOC). 

Because the cell operators 
are involved, the costs of 
connecting RIM devices is 
often cheaper than con¬ 
necting equivalent Windows 
Mobile devices, although this 
differential may disappear 
as it becomes more attrac¬ 
tive for cell operators to sell 
unlimited data plans for an 
increasing number of Win¬ 
dows mobile devices. 
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focus for enterprise mobility management 
will be on System Center Mobile Device Man¬ 
agement Server (SCMDM). In this scenario, 
management features available in Exchange 
will remain limited and will operate solely on 
policy settings that are required for email. 

Unified Communications 

To many, "unified communications" means 
voicemail integration with Exchange. Such 
integration isn't a new concept—vendors such 
as Nortel have supported voicemail integration 
for Exchange since the late 1990s, albeit only 
for specific PBXs and with some expensive 
hardware. The idea behind UC—being able 
to access information from many different 
sources in an integrated manner and appro¬ 
priately to the device used—is compelling. 
Certainly, anyone who has used Exchange 
Server 2007 Unified Messaging (UM) would 
be unlikely to want to return to a traditional 
voicemail system. 

What's changing today is the entry of Micro¬ 
soft into the market with Exchange UM and a 
new version of Office Communications Server 
(OCS) in combination with Cisco's determina¬ 
tion to leverage its predominance in networks 
and move into the applications area. Cisco 
Unity, which connects Exchange to voicemail 
via Cisco Call Manager, directly competes 
with Exchange UM. Microsoft is tackling the 
problem of how to integrate voice, data, and 
video by incorporating these capabilities into 
its applications. On the one hand, Microsoft 
is exploiting its huge installed base by driv¬ 
ing down the price of applications like UM to 
encourage customers to move to those appli¬ 
cations. On the other hand, Cisco is evolving 
its huge base of networking and products to 
add applications like Unity and powering the 
transition from older analog-based PBXs to 
VoIP to introduce customers to the possibili¬ 
ties of UC. Both companies say they're work¬ 
ing together, but the reality is that we're likely 
to see full-blown competition to win market 
share. Of course, Microsoft and Cisco connect 
to different people within the overall customer 
base: Microsoft usually connects with teams 
responsible for deploying applications such as 
Exchange, whereas Cisco usually connects with 
the teams that provide network infrastructure 
and telephony services. In many cases, these 
teams aren't well integrated, which causes 
some tension internally. But competition usu¬ 
ally drives innovation. With two heavyweights 
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competing for leadership in UC, we can expect 
features and functionality in applications to 
improve, better integration with existing infra¬ 
structures, new devices (for example, new 
generations of VoIP phones), and lower costs. 

Information Management 

If you've been running Exchange for any length 
of time, it's likely that you have too much 
email in your databases. You undoubtedly have 
some important information locked up in the 
databases that isn't immediately accessible, 
and you might find 
that you need that 
information to com¬ 
ply with legislative or 
regulatory require¬ 
ments. Microsoft 
designed Exchange 
to be an email server, 
not an information 
archiving and recov¬ 
ery system, and 
given the increasing 
demands on corpo¬ 
rations to comply 
with regulations 
from the Health 
Insurance Portabil¬ 
ity and Accountabil¬ 
ity Act (HIPPA) to the Sarbanes-Oxley (SOX) 
Act to SEC 17-4a, there's a lot of activity within 
the Exchange ecosystem to provide informa¬ 
tion management solutions. 

Work to figure out how best to manage the 
information held in Exchange databases began 
ten years ago. Symantec's Enterprise Vault 
product originally began as a project within 
Digital Equipment in 1997 to offload messages 
from Exchange and move them into a Hierar¬ 
chical Storage Management (HSM)-like vault. 
At that time, storage was expensive and serv¬ 
ers were hard-pressed to manage very large 
databases (and Exchange was restricted to a 
16GB database). Over time, storage costs have 
come down, Exchange now supports huge 
databases running on 64-bit servers, Microsoft 
Volume Shadow Copy Service permits online 
snapshots to back up databases, and the chal¬ 
lenge now focuses on mining information from 
Exchange for corporate purposes such as com¬ 
pliance. A wide variety of products help users 
and companies control information better. For 
example, ClearContext offers software to help 
Outlook users organize messages intelligently. 


HP, Commvault, Mimosa Systems, and CA 
all offer products that mine information from 
Exchange databases. 

Microsoft introduced context-based index¬ 
ing for databases in Exchange 2007. (Ear¬ 
lier attempts to provide similar functionality 
weren't successful because indexing stole too 
many system resources.) Outlook 2007 clients 
that work in cached Exchange mode use 
Windows Desktop Search (WDS) to initiate 
connections to PST files from their mailbox, 
as Figure 2 shows. Although current search 
technology can index the metadata from voice 


and graphic messages, it can't index the actual 
content. I expect this situation to change as 
R&D investments in new search technology 
result in the ability to index nontext content. 

We can expect the overall volume of email to 
increase. To create a complete picture of corpo¬ 
rate data, repositories other than mailboxes— 
such as SharePoint portals, team spaces, and 
public folders—will need to be searchable. I 
expect Microsoft to improve the search and 
retrieval capability in Exchange and to forge a 
closer connection with SharePoint (if only to 
bridge the gap that occurs around public folder 
migration), but I don't expect the company to 
enter the instant messaging (IM) arena. 

Software as a Service 

Microsoft's biggest challenge, both technically 
and economically, is to change the way users 
license and consume software from a closed 
system wherein users control the OS, server, 
and clients, to a system wherein users select 
applications that are delivered via the Inter¬ 
net. Notable examples of successful applica- 
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tion delivery, such a s Salesforce.com, already 
exist. Over the coming years, rapid growth in 
network availability coupled with lower cost 
and new Web-based programming models 
will deliver some real alternatives to the clas¬ 
sic Windows+Exchange+Outlook solution for 
enterprise-grade email. 

Google is most likely to compete with Micro¬ 
soft in this space, and that company is already 
making the necessary investments to build a 
suite of programs that deliver Exchange-like 
functionality. Gmail today is a long way from 
being perfect, but it's already better than many 
corporate email systems were a few years ago 
and will benefit from Google's rapid-develop¬ 
ment model to add features and become more 
competitive against a full-function client like 
Outlook. Google may have to develop its own 
API to compete with the richness of MAPI 
because Internet protocols such as IMAP4 
aren't rich enough to support the range of 
features that Outlook delivers. 

Google is already pitching the prospect of 
email delivered via the Internet as a service 
to customers. Initial interest is from the edu¬ 


cation sector, rather than large enterprises. 
Universities are attracted by Google's single 
annual fee to deliver email, calendar, and 
IM. Breaking into the corporate sector won't 
be easy for Google because IT teams will ask 
questions about security, compliance, and 
management that Google might find difficult 
to answer today. But given time and develop¬ 
ment effort, it's likely that Google and perhaps 
other vendors will find answers that satisfy cus¬ 
tomers, perhaps first in the small to medium 
sector and then in large enterprises. Microsoft 
might respond to the threat by developing its 
Microsoft Live capabilities to achieve feature 
and cost parity with Google. The difficulty will 
be to develop a Microsoft email SaaS offering 
without decimating the Exchange installed 
base. In addition, Microsoft has to figure out 
how Exchange and any future email product 
will cooperate, interoperate, and coexist seam¬ 
lessly so that customers will be able to deploy 
all or part of their organization on either or 
both platforms and have the ability to move 
data and mailboxes between them. This is a 
staggeringly complex challenge, but it's pos¬ 


sibly the most important one for the long-term 
future of Exchange. 

Time Will Tell 

After some twelve years of development, 
there's still much for Microsoft to do to main¬ 
tain Exchange's status. The only thing that you 
can be sure about technology is that it will 
change over time; the trick is to understand 
why technology changes and how the change 
will influence and affect customer options. 
The Exchange development group undoubt¬ 
edly has a few tricks up its sleeve to excite and 
delight customers, but it would be surprising 
if it doesn't already have the technologies I've 
discussed here on its radar screen. ^ 
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Building a Business Case 

for UC 


Sidestep the 
fear factor with 
this step-by-step 
approach 

by Keith 
Lynch 


I n day-to-day corporate life, it's rare for all members of a team to be able to communicate 
face to face. And if you're responsible for daily IT operations and for making sure your 
company's technology facilitates reaching its business goals, you want to provide the tools 
to make communication seamless. You start with desk phones, move to desktops, laptops, 
and fax machines, provide email, IM, mobile phones, and VoIP, and add smart phones and 
PDAs. But does all this technology really solve the problems of corporate communications? 
How many times have you had a simple yet urgent question and gone on to spend a frustrating 
half-hour IMing, making phone calls, and sending email messages simply to reach the person 
who can give you the 30-second answer you need? If you could unify all your individual technolo¬ 
gies into a truly integrated solution, communication would be easier and faster, deals would close, 
projects would meet their deadlines, and you'd go home on time a lot more often. 

If your company has an existing investment in a Microsoft infrastructure, Microsoft's uni¬ 
fied communications (UC) technologies can solve your communication headaches. Three key 
products form the backbone of Microsoft UC: Microsoft Exchange 2007, Office Communications 
Server 2007, and Office Communicator 2007. When you deploy these technologies together, you 
can provide ad hoc voice and video conferencing, archiving and encrypting of IM traffic, and voice 
access to email, contacts, and calendars. Your company's employees will have a single point of 
contact for all other employees, and transitioning between email, IM, and voice and video confer¬ 
encing can all be done with ease. You can make communications easy again. You can be a hero! 
But you know that when you propose UC to your senior management team, they'll say, "Show 
us the business case." Business cases make sense, but it's rare to find someone who is skilled at, 
or comfortable with, creating them. Here's where this article can help you: I'll show you how to 
create a business case for UC that will be both compelling and appealing to your senior managers, 
even if you don't have a degree in accounting and find the very idea of formulating a business 
case terrifying. My goal isn't to sell you on specific Microsoft UC solutions, but let me segue into 
the topic of making a business case for UC with a brief discussion of UC's value. 
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Building a Business Case for UC 


Why UC? 

Sage Research has found that an average of 43 
minutes per day could be saved for every busi¬ 
ness employee whose voicemail, email, and 
faxes are routed into one inbox. And Gartner 
has predicted that over the next three years, 80 
percent of American businesses will integrate 
voice and messaging communications into 
their core line of business (LOB) applications. 

Existing UC solutions can be divided into 
two categories: hardware-centric and software¬ 
centric. Vendors such as Cisco and Nortel have 
traditionally provided a large portion of their 
solutions with the hardware-based approach 
(although there are software components to 
this approach). These solutions provide end- 
to-end devices and can operate independently 
of core applications such as Exchange and AD, 
or they can integrate with core applications 
by way of software-based connections. Hard- 
ware-centric solutions traditionally guarantee 
the highest quality of service, but a substantial 
investment in hardware is necessary, in addi¬ 
tion to the post-deployment maintenance and 
management costs of vendor-specific applica¬ 
tions and devices. 

The software-centric approach is exempli¬ 
fied by Microsoft UC solutions. Because these 
solutions solve UC problems by using software, 
the skill sets necessary to maintain and man¬ 
age the UC environment typically already exist 
in most enterprise IT server and application 
teams. At the highest level, a Microsoft UC 
environment will leverage existing investments 
in AD; integrate with Exchange, SharePoint, 
Office, and third-party LOB applications; and 
work inside and outside physical offices. 

Business Case 
Fundamentals 

In its simplest form, a business case will gener¬ 
ally be based on the following formula: 

Investment < [(Implementation Costs) 

+ (Maintenance Costs)] 

- [(Increase in Revenue) + 
(Time Returned per Employee x 
Full-time Employee Fully 
Burdened Hourly Rate x 
Number of Affected Employees)] 

Time 

This way of calculating ROI shows that the 
investment in the new solution, in this case 
UC, will affect the business positively over a 

44 Windows IT Pro DECEMBER 2007 


period of time. The accepted time frame is 
typically 12 to 18 months, but there are no hard 
and fast rules about how long this period needs 
to be. As you can see, all of the costs in the for¬ 
mula are quantifiable and can be documented 
and substantiated. As long as the amount on 
the left is smaller than the amount on the right, 
approval is a sure thing. 

The problem with this approach is that the 
formula doesn't account for strategic items that 
aren't easily plugged into it. For example, what 
if your employees could prevent everyone but 
their manager from ringing their desk phone? 
What if everyone in your company could be 
reached via a single phone number? What if 
your remote teams could see each other on 
video during weekly conference calls and 

Business cases 
make sense, 
but it 5 s rare 
to find someone 
who is skilled at, 
or comfortable 
with, creating 
them. 

those calls were available via a video recording 
to anyone who couldn't attend? Such UC solu¬ 
tions would offer significant benefits for your 
organization, including increased individual 
and team productivity, a heightened spirit of 
collaboration, improved relationships, and 
enhanced security. But the impact of these 
benefits is difficult to represent in the formula 
above. Therefore, the key to building a success¬ 
ful business case for UC is capturing the strate¬ 
gic behaviors that most affect your business. 

The best way to do this is to schedule infor¬ 
mation-gathering meetings with key people 
in all areas of the business. These will include 
the CEO, CFO, CTO, business owners, project 
managers, and accounting, delivery, sales, 
Help desk, and other employees. (My typical 
practice is to schedule individual interviews 
followed by meetings with small groups.) I 
open these meetings by saying, "Thank you 


for taking a few minutes to talk with me today. 
We are currently considering ways to improve 
how we communicate with each other and 
our customers. We are doing this by gathering 
feedback from all areas of our business and 
consolidating them into high-level requests. 
Could you tell me about your experiences 
using our communications systems? How and 
how often do you use voicemail, email, faxing, 
and videoconferencing in your daily tasks? 
Have you come across any challenges?" 

Nine times out of ten, you'll be provided 
with more information than you could possibly 
explore in a half-hour. The great thing about this 
approach is that you'll be recording the pain 
points that are specific to your company—not 
"companies of our size" or "typical industry 
experiences." When you feel that the meeting 
participants have said all they can, you have 
the opportunity to build supporters for your 
UC case. Think about how the pain they're 
experiencing today could be solved with your 
proposed solution. (The sidebar, "So Tell Me, 
Where Does It Hurt?" lists some problems spe¬ 
cific to designated areas of a typical company.) 
You might say something like, "So, Fred, you 
said that one of the challenges you have today 
as sales manager is your team's inability to get 
accurate inventory information when they're on 
a sales call because they can't contact the right 
people at the warehouse, and thus can't close 
the deal. How many more deals do you think 
you could close per month if you had access to 
the people you needed at the point you needed 
them?" You can continue this process to com¬ 
pile as much company-specific information and 
to recruit as many supporters as you'd like. 

Fashioning Your Approach 

Your approach to adopting UC should be to start 
with a single department and a limited deploy¬ 
ment of the solution. Think about how you can 
start down the UC track with minimal costs 
and maximum exposure. In my experience, 
adopting UC is very much like what happened 
with business laptops. Companies started out 
by deploying laptops for only a few individu¬ 
als. As the benefits of enhanced employee 
autonomy and increased economic advantage 
became apparent, more and more laptops were 
deployed, until the business laptop became the 
ubiquitous tool it is today. I like to call this "the 
smoldering effect": An innovation once intro¬ 
duced into an organization will smolder for a 
period before it bursts into flame. 
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As you meet with each area of your business it’s good to have an understanding of some of the business pains that a UC solution can solve. Here are 
some examples by business area of typical problems that you can present to help others in your company see the value of unifying communications. 

Business Area 

Issues or Pain Today That Could Be Solved by Unified Communications 

Executive Management 

• Employees wasting time trying to coordinate communications 

• Poor access to key employees for decision making 

• Slowness to decisions and market 

• Poor retention of key employees due to inadequate tools (this is especially important with the generation that has grown up 
with technology and expects adequate tools) 

Finance 

• Additional costs of maintaining multiple communications systems 

• Travel costs spinning out of control 

• Mobile phone costs increasing 

• Poor visibility into sales, cash flow, and inventory due to disconnection between sales, suppliers, manufacturing, and delivery 

• Difficulty providing accurate financial reporting due to poor reporting from the field 

• Difficulties in documenting compliance with internal and external 
regulations 

Sales 

• Inability to contact key employees at the time they’re needed 

• Customer difficulty reaching sales representatives easily 

• No way for sales representatives to easily check on inventories or capabilities while on sales calls 

• Access to key technical resources in the field limited by budgetary and resource constraints 

Marketing 

• Inability to quickly contact and coordinate corporate communications during a PR emergency 

• New products time to market slowed due to the inability to coordinate key employees 

• Webinars, virtual conferences, and solution offerings can’t be provided or require costly third-party systems to produce 

Customer Service 

• Customers are unable to contact customer service through standard means such as IM, resulting in a slower time to resolution 

• Resolution of customer problems is delayed because of the inability to contact key internal personnel 

• Customer service representatives are tied to their desktop because they can’t provide services remotely 

Human Resources 

• Recruitment is difficult because ineffective communications systems are a turn-off for new employees 

• Training remote groups effectively is difficult because of inadequate technology 

• Turnover is high due to the inability to bring a sense of belonging or involvement to remote employees 

Project Management 

• Managing remote teams and projects is difficult because of inadequate technology 

• Conference-call meetings are ineffective because participants can’t communicate effectively 

• Productivity and quality are impaired because inadequate tools preclude effectively collaborating in real time 

Information Technology 

• Must support multiple skill sets to maintain multiple communications and collaboration systems 

• Constant need to reduce the costs of existing communications devices and means 

Security/Legal 

• Must provide auditing of all types of communications, including IM 

• Must comply with regulations requiring that confidential data is not hosted on a third-party system 

• Must provide “ethical walls” of communications, preventing groups of employees from communicating with one another 

• Must provide proof of end-to-end compliance with auditing requirements 

• Must be able to easily comply with subpoena requesting information across multiple systems 
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After you've collected information in your 
interviews, identify the top one or two busi¬ 
ness problems that deploying a UC solution 
will solve. Concentrate on the pain points 
that have high senior-management impact 
and visibility. This means you need to stay 
away from the feature-and-functionality play. 
Instead, concentrate on specific solutions. 
Here's how you might present a solution to the 
problem that Fred the sales manager brought 
to light: "After speaking with the sales team, 
we've determined that, by deploying a pilot of 
Office Communications Server, the enhanced 
communication and videoconferencing capa¬ 


bilities will help the sales team reach the right 
people in the warehouse at the right time. 
It will also let us include our remote limited 
presales engineers in customer meetings that 
they couldn't attend before because the travel 
budget didn't allow it. Fred estimates that with 
these improvements, his team can close an 
average of one more deal per month per sales¬ 
person. With an average deal size of $63,000 
and five salespeople, we can see an increase in 
yearly revenue of $315,000 from a limited UC 
deployment in just this one department." 

This is the way you should think about 
how to introduce UC into your company. Start 


by getting approval for a limited deployment 
in a single department. You might even look 
into taking advantage of evaluation software 
to keep your upfront costs down. Keep the 
overall investment in hardware and software to 
a minimum by purchasing only the consulting, 
hardware, software, and licenses necessary for 
your limited initial deployment. For example, 
you might not need a fully redundant system 
if you're augmenting and not replacing exist¬ 
ing voice functionality. Just be sure to plan an 
architecture that can grow with your company 
as you extend UC's reach to all areas of your 
business. 
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Building a Business Case for UC 


Compiling a Presentation 
Document 

When you've gathered the data you need and 
have identified an area of limited deployment, 
it's time to put everything together in a docu¬ 
ment presenting your business case. The fol¬ 
lowing outline will guide you in compiling an 
effective document. 

Start with an executive overview. This 
is a written summary of your solution and 
should be no more than four paragraphs long. 
It should follow this basic format: 

1. Describe the business problems your 
company is facing that you identified from the 
meetings you conducted with employees. 

2. Explain how you identified the problems 
by meeting with employees from throughout 
the business and listening to their problems 
and needs. 

3. Propose your solution to the problems. 
Back up your conclusions with data from 
third-party research organizations that detail 
the benefits of Microsoft UC solutions. 

4. Present the cost/benefit analysis of 
deploying your solution. 


Explain UC. It's important to use business¬ 
relevant terms to explain UC in this section of 
the document. Don't dive into the technical 
features of a UC solution, and stay away from 
using technical jargon. The senior-manager 
decision makers reading this document will 
want and need to understand how a UC solu¬ 
tion can benefit the business. Knowing how 
the solution works won't be an important 
consideration for them. 

Detail the problem. Describe in detail the 
one or two strategic business issues you're 
bringing forward and how your pilot UC solu¬ 
tion will solve these problems. Be specific in 
describing the pain points you uncovered in 
your interviews concerning these problems. 

Calculate costs and benefits. Use the 
simple ROI formula and the UC Calcula¬ 
tion Spreadsheet (available for free download 
from www.windowsitpro.com, InstantDoc ID 
97305) , to calculate your solution's estimated 
implementation and maintenance costs and 
the anticipated revenue increase and return 
on employee time. Combine these figures with 
the strategic information you gathered from 


your employee interviews to demonstrate a 
complete picture of the investment necessary 
to achieve your UC solution's benefits and the 
anticipated payback period. 


Go! 

The words "business case" need no longer 
strike fear into your heart. If you follow the 
simple rules of listening to your employees, 
documenting pain points, demonstrating how 
a UC solution will solve specific problems, 
starting with a limited deployment, and using 
a simple formula to calculate ROI, you'll be 
in the planning stage of a Microsoft UC pilot 
before you know it. 4 

InstantDoc ID 97305 


Keith Lynch 

(keithl@intellinet.com) is the director of core infra¬ 
structure for Intellinet, working with clients to architect, 
design, and deploy Microsoft Unified Communications 
Solutions. He routinely speaks and provides training on 
enterprise deployments of Exchange, Office Communica¬ 
tions Server, and Active Directory. 
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C arrying the banner of unified 

communications, which suggests 
the integration of the multitude of 
communications options available 
to the business user into a single 
interface that allows any and all 
of the communications options to be utilized, Dell 
has decided that the appropriate approach is to 
build pre-configured solutions.These solutions take 
advantage of Microsoft software solutions running 
on Dell hardware to provide the unified commu¬ 
nications environment and Nortel telecommuni¬ 
cations hardware that takes care of PBX or PSTN 
integration. 

• WHAT IS UNIFIED 
COMMUNICATIONS? 


defines UC as"... encompassing all forms of call 
and multimedia/cross-media message-manage¬ 
ment functions controlled by an individual user 
for both business and social purposes." 

In a business environment, UC is all about 
delivering messaging and communications to 
the user's desktop. The average business user, at 
the very least, has a telephone, an IM client of 
some sort, Web access to the Internet that allows 
access to hosted conferencing services, and an 
email client. All of these tools are used regularly 
and are likely critical to the user getting their 
work done. But in the vast majority of environ¬ 
ments, the delivery of these core capabilities is 
done through as many different applications 
- both hardware and software - as there are dif¬ 
ferent tasks (see Table 1). 


Also sometimes referred to as unified messaging, 
unified communications (UC) is the integration 
of commonly used communications methodolo¬ 
gies into a single, managed computing environ¬ 
ment. The International Engineering Consortium 


• MICROSOFT OFFICE 
COMMUNICATIONS 
SERVER 2007 


Table 1: Communications Technologies 


Existing Communications 
Technologies 

Communications 
Delivery Mechanisms 

Server & Client 

Applications 

PBX 

PSTN telephony 

Microsoft Office Communications 

Server 2007 

FAX 

Internet 

Microsoft Exchange Server 2007 

Voicemail 

Cellular services 

Microsoft Office Communicator 2007 

SmartPhone 

Broadband wireless 

Microsoft Office Communicator Web 

Access 2007 

Instant Messaging 

LAN 

Microsoft Office Communicator 

Mobile 2007 

Web-conferencing 

Calendaring 

Internet 

E-mail 

Desktop telephone 

WAN 

Microsoft Outlook 2007 


The centerpiece of the 
Microsoft unified com¬ 
munications effort is the 
new Office Communication 
Server (OCS) 2007. In OCS 
2007 Microsoft delivers 
the keystones of UC: VoIP, 
conferencing, presence, 
and instant messaging in 
a fully integrated Windows 
Server environment. These 
capabilities are scalable 
from a small branch office 
to a 100,000 user corporate 
enterprise. OCS 2007 is 
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available in two versions designed to meet the 
range of needs of the corporate user. 

STANDARD EDITION - With Standard Edition 
all the server components are hosted on a single 
server, including the database used for storing 
user and conference information. Use of Standard 
Edition gives you access to all the capabilities of 
OCS that do not go outside the bounds of the 
organization with that single server. Additional 
functionality, such as public conferencing or VoIP 
would require the use of multiple servers, but can 
still be accomplished with Standard Edition. If the 
organization has more than 5,000 users or requires 
a high-availability solution, Standard Edition is not 
appropriate. 

ENTERPRISE EDITION - Enterprise Edition 
(EE) is a requirement for organizations with more 
than 5,000 users or that need a high-availability 
solution. With the EE version of OCS, the server's 
functionality and the data storage are separated, 
residing on their own server or servers. Generically, 
an EE pool consists of a front-end server and a 
back-end database. The front-end servers, (usually 
two or more) can be deployed behind a hardware 
load balancer. Also, many of the server compo¬ 
nents that make up OCS can be deployed on their 
own physical servers to support larger organiza¬ 
tions and higher capacity operations. 

But it's not just the server-side OCS 2007 that 
brings users the benefits of a UC environment. 
The Office Communicator (OC) 2007 client deliv¬ 
ers access to the benefits of the UC environment 
in a familiar, Windows Office user interface that 
gives Windows users an intuitive grasp of how 
they can use the UC services now available to 


them. OC integrates with existing Windows ap¬ 
plications and helps to enable the client side of 
the click-to-communicate functionality delivered 
by OCS 2007. 

Basically, OCS 2007 can deliver a full set of features 
in four environments: 

• Instant Messaging 

• Presence 

• Conferencing 
•Voice over IP 

IM through OCS 2007 can be internal, allow¬ 
ing communications only with users within the 
organization, and external, where there is pub¬ 
lic access to the IM capabilities. Most users are 
familiar with IM, either from Microsoft Messenger 
/ Microsoft Live or one of the many public IM 
server clients. With OCS 2007 the advantages of 
instant messaging can be brought to corporate 
users without the worries over data security and 
availability that would come with trying to use a 
publicly available service in this role. 

More importantly, from the perspective of busi¬ 
ness workflow, is that the messaging available 
through OCS is tightly integrated into Microsoft 
application and operating system features that 
are likely already in use. For example, IM users 
can view information about their contacts 
that includes things such as links to that user's 
SharePoint site. And with all contact informa¬ 
tion available about other corporate users in 
the same interface, the user can choose to 
communicate via IM, email, or even click to 
make a phone call, should that functionality 
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be enabled. If the IM user needs to show his 
contact something he is talking about, the IM 
session can be escalated to a Web conference, 
giving access to the conferencing tools and 
allowing improved business communications. 
Because the IM communication could have 
been to a group as well as to a single user, this 
provides an excellent medium, and mecha¬ 
nism, for group meetings on a spontaneous or 
organized basis. And if the OCS deployment is 
enterprise-wide, these meetings don't reguire 
geographic proximity. 

With tight control over IM and the ability to use it 
as a business tool, IM moves from the category of 
potential security risk and employee time-waster 
to a useful part of the business workflow process 
(seeTable 2). 


Table 2: Key IM Features 


Integration with Web Conferencing 

This enables user to go directly from 
an IM session to a Web conference 

Contact Card 

Detailed information available to the user about their 
contacts. It includes the ability to launch an IM session or 
connect through email, voice or a SharePoint MySite 

Missed IM Indicator 

Iconic notification of missed IMs 

Group IM 

IM conversations that can include up to 100 users 

Corporate Distribution Lists 

Corporate lists coexist alongside personal contact lists. 
Personal lists can be updated from the corporate list. 

Rich Content Support 

Users can paste directly from applications such as Excel 
and retain the formatted information 


• PRESENCE 

Presence capabilities go far beyond the ability 
to tell another user if his or her contact is online, 
offline, or busy. While a standard IM client may 
use an activity indicator to determine if the user 
is at the keyboard, with OCS presence gets much 
more tightly integrated into the work environ¬ 
ment. If a user is scheduled to be in a meeting 
on his Outlook calendar, his presence indicator 
will show "In a meeting" when checked by other 
users, without any intervention from the user. The 
user can even elect to show meeting details in 
that presence message, perhaps showing loca¬ 
tion or scheduled end time. 

Users get a lot of flexibility in how their pres¬ 
ence is displayed to other users. Because the IM 
is not location dependent, 
a user working at a remote 
site may choose to have his 
presence indicator show his 
current physical location. 
Almost all the user-defin¬ 
able presence states allow 
for a customized note to be 
added that will be displayed 
when another user looks at 
the presence indicator. 


Table 3: Key Presence features 

1 Presence Notes 

Custom text notes can be added by the user in addition to 
standard presence information 

Customized Presence States 

Administrators can define global custom presence states 

Contact Tagging 

Special indicators that show when a tagged contacts presence 
changes 

Presence levels 

Custom information about the user displayed to contacts based 
on their presence level 

Location Display 

Details of the user's physical location 


Users also get an effective 
"Do not disturb"sign, which 
will block unwanted IMs 
from users who aren't on a 
list of designated users. And 
conversely, a user can tag an¬ 
other user's presence status 
indicator to be alerted when 
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that indicator changes, so that they can then 
communicate with a user who has returned to the 
office or taken off a "Do not disturb" message. 


attendees, but also active integration of content 
that can be delivered from attendees during a 
presentation. 


Presence information (see Table 3) makes IM that 
much more useful, with real information able to 
be delivered about a user without even needing 
to directly communicate with that user. It is criti¬ 
cal to useful IM in a business environment. 

• CONFERENCING 

Multi-party Web conferencing is one of the key 
features of OCS 2007. This feature brings the 
capabilities of online Web conferencing services 
in-house and allows users to organize and deliver 
rich multimedia content in an interactive environ¬ 
ment to both internal and external users of OCS. 

Traditionally, Web conferencing has been fairly 
static, with a speaker able to deliver a canned pre¬ 
sentation to a group of users who have connected 
to the conference. That capability remains, but the 
focus goes from the static presentation of content 
to the ability to do interactive conferencing. This 
approach allows not only audio participation by 


Users are able to make and share annotations on 
the slides used in presentations, share control of 
live applications that are being used or demon¬ 
strated during the conference, hold sidebar con¬ 
versations, either in text messages or multi-party 
VoIP without disrupting the primary presenta¬ 
tion, and with the use of the Live Meeting client, 
record the video and audio portions of meetings 
for future use. Users can even start a whiteboard 
session alongside a meeting to facilitate the shar¬ 
ing of ideas or diagrams that are best presented 
in that fashion. 

Along with the ability to create more interac¬ 
tive communications with others, users running 
presentations get the controls necessary to limit 
the actions of users attending a presentation. Pre¬ 
senters can lock down the meeting to selected 
users or groups of users, selectively mute users, 
invite additional attendees to ongoing meetings, 
and lock out or eject users who are disruptive 
(see Table 4). 


Table 4: Key Conferencing Features 

Application Sharing 

Share display and control of applications with other users 

Dynamic Content Sharing 

Users can share dynamic content such as Adobe Flash or Windows Media 

Elandouts 

Users can share files in the native file formats such as Word and Excel 

1:1 Chat 

Users in conferences can exchange text messages with each other 

Whiteboard 

Users can start whiteboard sessions during presentations 

Shared Notes 

Users can share their notes with other users in a presentation 

Single-click conferencing 

Users can select attendees from their contact list and initiate a web conference 

Snapshot 

Users can share screen captures 

Integration with Microsoft Roundtable 

Panoramic video conferencing capabilities with dedicated hardware 

Questioning 

A question queue that is accessible by presentation attendees. Presenter can pull questions 
from the queue to be addressed 
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Table 5: Key VoIP Features 

Unified Messaging Integration 

Integrated with Exchange Server 2007 

Conference Calling 

User initiated multi-party calls. Can be initiated directly from Contact lists. Outlook add-in 
supports scheduled automated conference calls. 

Call Forwarding 

Rules-based call forwarding options 

Call Deflect 

Calls are dynamically forwarded to another device such as a cell phone or direct to voicemail 

Click to call 

Users can initiate calls through the Ul whenever presence information is shown 

Simultaneous Ring 

Incoming call rings all registered endpoints for the contact plus and external number or mobile 
phone 

Call Sensitivity Control 

A security feature that allows a user to control the sensitivity level of a call and prevent other 
users from being added to the call. 

Call Context 

Information available to other OCS users can identify information about the call 

Hold,Transfer, Call Waiting 

As would be found on a PSTN system 

DTMF generation 

Tone generation to allows use of systems that require tones (such as IVR) 


• VOICE OVER IP 

For VoIP, Microsoft delivers a software-powered 
solution called Enterprise Voice. Enterprise Voice 
is fully integrated into the OCS solution and can 
be implemented with an existing PBX infrastruc¬ 
ture or in a greenfield environment where there 
is no PBX available, or necessary. 

Enterprise Voice is a completely integrated solution; 
users can be contacted on all of their registered 
endpoints, be it the Office Communicator PC client 
software, a SIP phone, or their mobile phone or 
mobile device. None of these features requires that 
the user change an existing phone number. And 
because Enterprise Voice is a software solution that 
can traverse NATs and firewalls, users can have ac¬ 
cess to corporate communications from any Inter¬ 
net connection if desired, without the need to use 
a VPN to connect back to the corporate network or 
incurring any long distance telephone expenses. 

Enterprise Voice requires a minimal investment in 
new hardware and does not require major modi¬ 


fications to existing communications infrastruc¬ 
tures, either telephony or OCS 2007. The OCS 2007 
management tools are designed with Enterprise 
Voice in mind and are capable of managing its 
installation and use. 

A solid VoIP installation, together with the other 
features of OCS 2007 and Outlook and Exchange 
unified messaging, brings a complete messaging 
environment to the business user's desktop. A user 
is able to communicate with any other corporate 
user or contacts outside the corporation with the 
click of a mouse in a familiar intuitive interface. 

Just as importantly, inbound communications can 
find the business user at any registered location, 
allowing a physically dispersed business to have 
the communications abilities of a business at a 
single location with similar ease of communica¬ 
tion throughout their enterprise (see Table 5). 

These four key capabilities begin to define what 
OCS 2007 can do for your organization. But plan¬ 
ning and deploying a corporate-wide UC solution 
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Figure 1: 

Basic 
single-server 
topology with 
no support for 
an off-premise 
communication. 


Active 

Directory 


Standard Edition 


requires more than selecting the tools to use. De¬ 
ployment and implementation also requires pick¬ 
ing the right set of features for your organization 
and the different entities within. Different groups 
may require different feature sets and different 
types of deployments may be required at differ¬ 
ent locations. OCS 2007 gives you a great deal 
of latitude in how it can be deployed and what 
features can be delivered, all while still integrating 
with existing communications solutions. 

But there are a number of considerations that 
need to be looked at before you begin your OCS 
deployment. Let's look at the information neces- 

_ sary to plan a successful 

rollout of a fully integrated 
unified communications 
solution that makes best use 
of OCS 2007, Exchange and 
Outlook Unified Messaging 
integration, and your exist¬ 
ing communications infra¬ 
structure. Like any corpo¬ 
rate-wide, line-of-business 
application, careful planning 
is required before the first 
deployments begin. Because 
of the nature of a unified 
communications platform, 
it is not something that you 
want to install haphazardly. 
The ramifications of each 
level of installation must be 
carefully evaluated. 


Active Directory 
domain: 
contoso.com 


Pool FQDN: 
SEpool.contoso.com 




Userl @Contoso.com User2@Contoso.com 


We will start out by looking 
at the features and func¬ 
tions that OCS 2007 delivers 


to your corporate communications environment 
-from the basic advantages of a Standard Edition 
server delivering only a subset of the services to a 
single office to a full-blown Enterprise Edition de¬ 
ployment that delivers integrated communications, 
from IM to VoIP, across the corporate enterprise. 

Dell is offering its UC solution in a module-based 
approach that allows customers to choose which 
modules they wish to integrate in to their business 
model. Dell has broken those modules into four 
areas of interest: 

Core Office Communication 
Server 2007 —provides instant messag¬ 
ing and on-premise Microsoft Live Meeting. 

OCS Telephony —enables call routing 
tracking and management, VoIP gateway 
and public branch exchange (PBX) integra¬ 
tion. 

Audio and Video 

Conferencing —allows point-to-point 
conference, video conference and VoIP 
audio conference. 

Exchange Unified Messaging — 

provides voicemail, email and fax in Micro¬ 
soft Outlook, and anywhere access of Micro¬ 
soft Outlook Inbox and Calendar. 

The first three modules are the province of OCS 
2007; the last is part of implementing Exchange 
Server 2007. We are going to walk through what 
is actually involved in deploying and utilizing all 
four modules of the complete Dell Unified Com¬ 
munications solution. 
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The Core OCS 2007 module can be implemented 
in a number of ways, with the simplest being a 
basic OCS 2007 deployment single-site installation, 
using Standard Edition, to deliver Web conferenc¬ 
ing and IM capabilities to an organization of fewer 
than 5,000 users. This is the simplest deployment 
option for OCS in general and is good for a remote 
site or for a pilot deployment. It could also be done 
using OCS Enterprise Edition (Consolidated) using 
a single-server Enterprise Edition installation. While 
it is possible to deploy the services specified in the 
core module using a full-blown Enterprise Edition 
installation it seems an unlikely choice unless it 
was merely the first step in a rollout of all of the 
features of OCS 2007 across the enterprise. 

There are a few prerequisites for deploying this 
configuration in your environment. You must be 
using Windows Server 2003 with Active Directory 
in Native Mode, not mixed mode, and you have 
to have a PKI infrastructure in place. While you can 
make use of a public PKI service, it is simpler to in¬ 
stall the Windows Server Certificate Services, which 
ships with every copy. 

In the core configuration shown in Figure 1 , the 
only services that can be provided are IM, pres¬ 
ence (to local users) and Web conferencing for 
local users. User computers will need to have 
Office Communicator 2007 installed or the Live 
Meeting 2007 client to access Web presentations. 
Telephony services are provided by the existing 
telephone system and there is no integration with 
IM or conferencing. 

This is the most basic of the UC services configura¬ 
tions. IM and on-premise conferencing are inte¬ 
grated together, along with other local Microsoft 



SIP Phone 
Internal VoIP Users 


AD 

Server 


OCS 

2007 

Server 


Software VoIP 


External PSTN Users 


Cloud 


Media 

Gateway 


Office applications. Because OCS 2007 is tied into 
Active Directory, the capabilities of integrated IM 
and conferencing previously discussed are avail¬ 
able to users at this single site. 


Figure 2: 
Basic OCS 
installation 
with internal 
support for 
VoIP. 


Expanding this configuration to include the 
second module, OCS telephony, would give the 
user a topology similar to that shown in Figure 2, 
This configuration takes the basic topology and 
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Figure 3: OCS VoIP 
integration via an 
existing IP-PBX 


Media 



adds a second OCS server in the role of Mediation 
Server and a connection to the PSTN network via 
a media gateway. 

Because the server roles are now split across mul¬ 
tiple servers, this installation will likely move up to 
the use of OCS 2007 Enterprise Edition. The PC cli¬ 
ent, which can act as a VoIP endpoint, needs to be 
running the OC client or the Office Communicator 
2007 Phone Edition (OCPE), which is a version of 
Communicator that has been pared down to the 
essentials for telephony. With OCPE the user can 
make and receive calls directly from his PC. The PC 
must have a microphone and speakers in order to 
act in this role. 

With the PE client, users are able to use the 


touch-a-contact feature to initiate calls to a 
contact, without the need to look up the phone 
number. They can also do normal PBX type 
phone actions such as call transfer and confer¬ 
ence calling and accessing voicemail on an 
individual basis, without going through the 
entire voicemail menu. And they can configure 
call handling options, such as forwarding calls 
to another number or to a mobile phone. These 
tasks, and the others enabled by OCPE, are 
all done from the console and don't require a 
physical telephone. 

A SIP phone, as shown in the diagram, is a piece 
ofVolP-enabled hardware that looks and feels like 
a traditional telephone handset.This hardware is 
available from a number of vendors. 
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While Figure 2 shows the connection between the 
OCS installation and the PSTN as a media gateway, 
a more likely situation will be integrating the OCS 
solution with an IP-PBX as shown in Figure 3. 

PBX integration requires an IP-PBX with native 
support for SIP, IP media, and OCS, such as that 


available from Nortel (a UC partner with Dell). Us¬ 
ers with olderTDM-PBX systems will need to use a 
media gateway, as shown in Figure 1, between the 
OCS Mediation Server and theTDM-PBX. In this 
environment, the media gateway uses SIP and IP 
media to communicate with OCS and standard te¬ 
lephony protocols to communicate with the PBX. 


Figure 4: An 
OCS 2007 
network 
extended out 
to external 
users 
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Figure 5: 
Internal 
architecture 
of a high 
availability OCS 
installation. 


With the first two modules installed, the 
next module, Audio and Video Conferencing, 
extends to external users the conferencing 
features that are available internally to the en¬ 
terprise. The most significant level of complex¬ 
ity that adding this module brings to the task 
is the necessity of building or extending your 
corporate perimeter network. 

As shown in Figure 4, allowing access to exter¬ 
nal users requires supporting an edge topology 


that firewalls your network in both directions. By 
using an HTTP Reverse Proxy in the perimeter 
network, users outside the corporate network 
can locate the OCS resources exposed from 
the internal network. With OCS 2007 Enterprise 
Edition you can build high-availability solutions 
with support for more than 100,000 users. For 
high performance and availability, OCS can be 
configured with front-end load balancers that sit 
in front of the OCS servers and direct requests to 
the appropriate server. As shown in Figure 5, the 
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internal architecture of a high-availability solu¬ 
tion is very straightforward. 

• EXCHANGE UNIFIED 
MESSAGING 

The fourth and final module of the Dell Uni¬ 
fied Communications platform is the Microsoft 
Exchange Server 2007 Unified Messaging technol¬ 
ogy. This module has no dependencies on OCS for 
its basic implementation, and is one of the roles 
available to Exchange Server 2007. It can be imple¬ 
mented at any point in the process of rolling out 
the Dell Unified Communications Solution and its 
capabilities are applicable to adding functionality 
to any of the selected OCS 2007 implementations. 

• WHAT IS EXCHANGE 
UNIFIED MESSAGING? 

Exchange Unified Messaging is a set of technolo¬ 
gies that are used to consolidate communication 
information into one location. When in use, the 
user's email inbox not only becomes the repository 
for his email but also voice mail, faxes, contact in¬ 
formation and calendar appointment information. 
Unified Messaging is one of the five server roles 
that can be defined for an Exchange 2007 Server. 

It does not require a dedicated server and can 
be utilized on an existing Exchange 2007 Server 
currently running a different role, or, in a large 
organization, implemented on its own dedicated 
hardware. 

The Unified Messaging Server is responsible for 
communicating with both email and telephony 
systems and routes calls and messages to a user's 
inbox, handles recording and playback of voice 


mail messages, and receives faxes, routing them 
to the appropriate locations. OutlookVoice Access, 
if configured, is also supported on the server. 

VoIP is fully supported as are both IP-PBX systems 
natively and traditional PBX systems via a media 
gateway. 

Implementing unified messaging has four major 
business benefits: 

More efficient use of 
employees'time - By making Microsoft 
Outlook 2007 the center of the UM envi¬ 
ronment, users, who are already spending 
considerable time working in Outlook, can 
now be more productive because the ac¬ 
tions that once required launching addi¬ 
tional applications or using different devices 
can be handled directly from their Outlook 
environment. 

Easier access to information - if a 

user works in multiple locations, all of this 
information remains location-independent; 
it can be accessed from anywhere the user 
can get to his Outlook 2007 inbox, including 
using Outlook Web Access. With Outlook 
Voice Access, the contents of the user's 
inbox can be accessed from anywhere the 
user can make a phone call. 

Reduced costs - Unified messaging 
makes it possible to move from expensive 
dedicated hardware to general-purpose 
computing devices; for example, a branch 
office that would once have needed to im¬ 
plement a dedicated voicemail system can 
now offer that same functionality through 
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Figure 6: Exchange UM architecture for 
both internal and external access. 
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an existing Exchange 2007 server. As new 
telephony technologies are rolled out, 
such as VoIP, integration with a UM solution 
makes them more effective and allows ad¬ 
ditional capabilities to be provided to users 
without significant additional expense. 

Expanded capabilities - Exchange 
Unified Messaging works with other Micro¬ 
soft collaboration tools, including Microsoft 
Outlook, OCS 2007, and Office Communica¬ 
tor 2007. It also enhances the capabilities 
of those applications making them more 
productive for business and more cost effec¬ 
tive to deploy. 

As shown in Figure 6, Exchange UM has its own 
deployment architecture, which ties into your 
existing network and server infrastructure and 
which merges well with a full implementation of 
OCS 2007. 

• CONCLUSION 

Unified communications is a technology that can 
bring significant benefit to corporate users. UC al¬ 
lows you to streamline the communication aspects 
of the business workflow process, which results in 
improvements in user productivity and the enhance¬ 
ment of overall business productivity. From the 
perspective of the business user, it just makes a lot of 
normal business activities easier to accomplish. 

In the past, the biggest stumbling blocks to 
deploying unified communications solutions 
have been the necessity of integrating prod¬ 
ucts from too many vendors, with the resultant 
problems with on-going maintenance, moni¬ 


toring and support. Traditional IT issues, such 
as the need to keep systems patched and 
updated while assuring that applications con¬ 
tinued to function properly, made large multi¬ 
vendor implementations of UC an expensive 
and time-consuming choice. 

Dell has decided to take on the hard part of imple¬ 
menting UC solutions by building lab-certified, 
business-ready solutions.To do so, Dell has part¬ 
nered with Microsoft to provide the software side 
of the equation and Nortel to provide the critical 
telephony pieces, while building the complete 
solutions on Dell's well-respected server hardware. 

By taking this approach, Dell takes a large part of 
the risk out of the decision to implement a UC so¬ 
lution in your business. Business decision makers 
can get a good handle on the costs of implement¬ 
ing a UC solution because the packaged solution 
purchased from Dell, with the assistance of its 
consulting practice and lab testing, means that 
there should be few, if any, surprises with installa¬ 
tion on customer sites. 

Whether integrating with existing telephony 
solutions or building ground-up installations 
that are UC ready, making the choice to go to 
a unified communications environment has 
the potential to not only simplify the business 
workflow but also to make your business more 
productive and more successful. 
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Windows IT Pro: 

A GOOD CAREER CHOICE 

FOR 


YOUR 


IT JOBS ARE 
IN DEMAND, 
BUT SOME 
TECHNOLOGY 
WORKERS WANT 
THEIR CHILDREN TO 
AVOID AN IT CAREER. 
FIND OUT WHY 


A lthough parts of the US 
economy may be in the 
doldrums, you can't 
say the same about the 
thriving IT industry. IT 

spending bottomed out after the Internet bubble popped a fewyears ago, but 
lately the technology sector has experienced a remarkable period of expan¬ 
sion—and not just in the United States. Gartner projects that worldwide IT 
spending will surpass $3 trillion in 2007 and foresees the growth to continue 
into 2008, when worldwide spending could top $3.3 trillion. You'd expect that 
the IT job boom would give IT folks a rosier outlook on 
their profession, but for some IT pros that isn't the case. 
Recent news about the decline in computer information 
systems (CIS) majors at US colleges and mixed news 
about IT job satisfaction led us to wonder how our readers 
actually feel about their IT jobs, as well as some causes of 
and ways to address job dissatisfaction. Let's take a look at 
the state of the IT job market and a sampling of opinions 
from industry pros about the state of IT as a career. 


How to Improve 
IT’s Career Appeal 

W hat would make IT a 
career you’d recom¬ 
mend to your children? Better 
hours? A more fun work envi¬ 
ronment? More respect? Join 
the discussion on the Windows 
IT Pro Career Development 
forum at forums.windowsitpro 
.com/web/forum/categories 
.aspx?catid=53. 
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"It really is an 
employee-driven 

< 1 ^ j I'd say that nearly 

everyone that wants a 

If they're not, they're 
between projects or simply 
choosing not to work." 

—John Estes, vice president, 

Robert Half Technology 


Employee-Driven Market 

An IDC study sponsored by Microsoft also 
points to a dramatic increase in IT spend¬ 
ing in the near future. IDC projects that this 
increase will create 100,000 new businesses 
and more than 7.1 million new jobs by 2012. 
IDC's research finds that Microsoft continues 
to be the most significant company in the IT 
industry, as Microsoft is directly or indirectly 
responsible for 14.7 million jobs out of an IT 
industry total of 35.2 million people in 2007. 
In a statement announcing the IDC research 
results, Microsoft's Chief Research and Strat¬ 
egy Officer Craig Mundie said, "IDC's research 
quantifies the enormous power of software to 
create local jobs and grow economies around 
the world, in both developed and developing 
markets. Millions of people are employed glob¬ 
ally in Microsoft-related activities, generating 
more than a half-trillion dollars in taxes in 2007 
for governments worldwide." 

The boom in IT spending correlates strongly 
with ongoing demand for IT professionals of all 
skill levels. According to fohn Estes, a vice pres¬ 
ident at IT recruiting firm Robert Half Technol¬ 
ogy (www.rhi.com) , the explosive growth in IT 
makes the industry a good one for job seekers. 

"It really is an employee-driven market 
right now," said Estes. "I'd say that nearly every¬ 
one that wants a job in IT is working now. If 
they're not, they're either between projects or 
simply choosing not to work. According to all 
the CIOs that we survey—and from my own 
personal experience—demand for all types of 
network administration is way up there." Estes 
pointed to several roles that his company sees 
significant demand for: Network administra¬ 
tors, network engineers, and network support 
staff are three of the roles employers request 
most. Mobility administrators, who specialize 
in the management of mobile devices such as 
laptops, Palm Treos, Research In Motion (RIM) 
BlackBerrys, and other mobile assets, have also 
been increasingly in demand. 

When it comes to training and certification, 
Estes said that the requirements from specific 
employers vary greatly. "Some clients really 
place more importance on work experience 
than certifications, while some clients want 
the opposite." Estes mentioned that applicants 
with Microsoft Certified Systems Administrator 
(MCSA) certification are usually in demand, 
and employers also request Cisco Certified 
Network Administrator (CCNA) and Cisco 
Certified Networking Professional (CCNP) 
certifications. 


Recommend IT to 
Your Children? 

Because IT is booming and jobs 
are plentiful in most markets, you 
might think IT pros would be 
happy in an industry where their 
skills and services are in demand. 

For the most part, you'd be correct 
in that assumption, but not all IT 
pros feel positive about their industry. 

Earlier this year, Windows IT Pro associ¬ 
ate editor Caroline Marwitz blogged about IT 
career concerns. In her August 2007 post ("Are 
IT Pros Steering Their Children Away From 
IT?" InstantDo c 96904) , Caroline asked IT pros 
whether they would recommend their current 
IT jobs to their children. Several responses 
highlighted concerns and frustrations with IT 
careers, citing work schedules, management's 
limited understanding of IT roles, and con¬ 
cerns about outsourcing. 

Some readers criticized companies' reliance 
on IT recruiting firms. ROGJR, a windowsitpro 
.com forum poster, wrote," [Companies should] 
do their own recruiting." ROGJR continued, 
"That means staff development for existing 
employees versus throwing them out on the 
street, and [companies] taking on the recruit¬ 
ing job themselves... companies are losing out 
on good employees because a large percentage 
of the salaries are siphoned off by the recruit¬ 
ers. The salaries through recruiters are often so 
embarrassing that it drives off good candidates. 
Eliminate the recruiter and offer a decent sal¬ 
ary, and the candidates will come." 

Bill Hubbard, a forum pro and veteran 
IT administrator, suggested that the odd 
and extended hours an IT pro is sometimes 
required to work could be another source of 
job frustration. "In pursuing a career in IT, you 
must be willing to work some odd hours, nights, 
weekends, holidays, all-nighters when a server 
is down, being on 24-hour call," wrote Hubbard. 
"Not all the time, and not in all positions, but if 
one makes a career out of IT, they will experi¬ 
ence all of these at one time or another." 


IT professionals in Europe face many of 
the same issues and challenges as their US 
counterparts. According to one UK-based IT 
consultant, the current outlook for IT careers in 
Britain also seems strong, but he still wouldn't 
recommend IT as a career for his children. 

"At the moment it seems good. There is the 
usual bleating about skills shortages, but when 
you look at the unrealistic demands in some job 
adverts, it really suggests that [the skills short¬ 
ages are] not as bad as painted," he wrote. 

The same consultant also took issue with 
increasing specialization in some IT job roles, 
a development that leads him to discourage his 
children from following in his footsteps in an 
IT career. "The IT today is so different from the 
one I entered more than 20 years ago," he said. "I 
wouldn't recommend it. I had an opportunity to 
experience many different roles [over the years], 
but these days, it seems that it's much more dif¬ 
ficult to move out of the pigeon hole you're in." 

Forum poster rain3d qualified his decision 
to recommend an IT career to his children, 
suggesting that working in a company that 
provides IT services to other companies is 
preferable to working in an in-house IT envi¬ 
ronment. "I don't think that I would recom¬ 
mend a job in IT to my children, unless it is 
doing what I do," he says. "It seems that IT 
staff is generally under-appreciated, as the 
executives seem to think that anyone can keep 
the network up and running. What the execs 
don't know is that when they try to cut corners, 
they put their networks and data at risk, and 
get ripped off in the process.... I can't always 
blame the IT staff, as they may have budget 
limits imposed on them." 
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Growing the Next 
Generation 

Although some IT pros have mixed feelings 
about recommending an IT career, there 
seems to be agreement about how to improve 
the situation. Several IT pros pointed to the 
recruiting process as an area needing improve¬ 
ment—an observation that Dr. John Sullivan, 
formerly the chief talent officer for Agilent and 
now a professor of management at San Fran¬ 
cisco State University, agreed with. 

"It's not that [companies] can't find IT peo¬ 
ple; there are millions of candidates out there," 
said Sullivan. "It comes down to how interest¬ 
ing you make working at your company sound. 
People in IT recruiting are dull as toast—they 
make accountants look exciting." 

Sullivan suggested that companies look 
at using more creative methods to hire and 
attract talent, pointing to Google as a prime 
example of good recruiting practices. "Google 
has blown other companies away with its 
recruiting, and the firm is only six years old. 
And it's basically a Yellow Pages for the Inter¬ 
net," said Sullivan. 

Google uses what Sullivan referred to as 
"Wow!" recruiting, which builds on Google's 
unique position in the market. "People have 
a story to tell about working at Google when 
they go home at night. Their kids, friends, 
and neighbors hear it and want to work at 
Google, too." Sullivan explained that the allure 
of Google as an enjoyable place to work isn't 
new. Several technology companies have 
enjoyed the distinction of being at the top of 
the list of companies graduates would like to 
work for, including such industry stalwarts as 
HP and IBM. "HP was the Google of its time, 
[but] it isn't now," says Sullivan. "I worked 
there because I learned back in college that 


you could play volleyball at lunch there. The 
courts aren't used now." HP was contacted 
to comment on the state of IT careers for this 
article but declined to comment. 

Make Yourself an Asset 

Although companies looking for IT profes¬ 
sionals can always find ways to improve and 
refine their processes for hiring and retaining 
key talent, the same is also true for employees. 
IT workers are well advised to keep learning 
new skills and working to better themselves, 
possibly through additional training, taking 
on new responsibilities, or going for that extra 
degree or certification. 

Sullivan argued that employees need to get 
into the mindset of changing IT from a cost 
center to a business driver that can stream¬ 
line processes and help generate additional 
revenue. "You want the decision-makers not 
to say, 'Oh, my system didn't break down,' but 
'Oh, you helped me generate this revenue by 
helping me to do this project,"' said Sullivan. 
"If you have IT skills, know marketing, and can 
innovate, you'll get a job." 

Extra training and certifications are always 
a plus, noted Estes, but you should also look 
to the future when making important career¬ 
changing decisions. "Certifications are good, 
but even better than that is making sure 
you look for companies that are working 
with leading-edge technology," said Estes. 
Working for a company that's running on 
Windows Server 2003 and taking advantage of 
leading technologies—such as virtualization, 
auditing and compliance infrastructure, and 
business intelligence (BI) applications—can 
help give IT pros the skills they need to remain 
marketable. 


Learning Path 


Learn more about the state of IT careers 

“Are IT Pros Steering Their Children Away From IT?” 
InstantDoc I D 96904 

“Keeping Tabs on the Profession,” InstantDoc ID 
94049 

“Sizing Up the IT Pro Community,” InstantDoc ID 
93975 

“Are You Satisfied?” InstantDoc I D 48177 
“Number of CIS majors drops” 
www.coloradoan.com/apps/pbcs.dll/article?aid=/ 
20070824/business/708240337 
Addressing the Decline in CIS Enrollment 
www.iacis.org/iis/2007_iis/PDFs/Pollacia_ 

Russell.pdf 

“IT ranked low on job satisfaction league” 
www.computerweekly.com/Articles/2007/08/06/ 
226002/it-ranked-low-on-job-satisfaction- 
league.htm 

“Techies’ Job Satisfaction At A Two-Year High” 
www.informationweek.com/research/show 
Article.ihtml?articlelD=202200783 

0 

Beyond basic skills, Estes also suggested that 
good communication and interpersonal skills 
are still vitally important. "Good soft skills are 
a must, as are strong written and verbal com¬ 
munication skills," said Estes. "The old days of 
sitting behind a terminal all day and tuning out 
the rest of the organization are over." 

Although the outsourcing of IT jobs has 
generated headlines over the last few years, 
both Sullivan and Estes suggested that this 
concern is overblown. Acknowledging that 
some people have been affected by out¬ 
sourcing, Sullivan and Estes maintained that 
the idea that all IT jobs are going overseas is 
a myth. "That's absolutely not the case," said 
Estes. "While some jobs may be outsourced, 
you can work to make sure you're outsource- 
proof. Don't just focus on development 
of your tech skills—work on your project 
management or on your communication 
and people skills. Those types of skills aren't 
easily outsourced." ^ 

InstantDoc ID 97408 


Jeff James 

(jjames@windowsitpro.com) is senior editor, products, 
for Windows IT Pro and SQL Server Magazine. He spe¬ 
cializes in virtualization and terminal services and has 
over 15 years of experience as a writer and digital- 
content producer. 

Associate Editor Caroline Marwitz contributed to this 
article. 
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"People have a story 
to tell about working 
at Google when they go home 
at night. Their kids, friends, and 
neighbors hear it and want to 
work at Google, too." 


— Dr. John Sullivan, professor of management, 
San Francisco State University 
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Configure UNIX and 


BY JOHN HOWIE 



PROBLEM 


NIS is an easy solution 
for integrating UNIX 
and Linux clients into a 
Windows environment, but 
it lacks security. 



Configure UNIX and Linux 
clients to use AD for LDAP 
authentication. 


WHAT YOU NEED: 


Windows 2003 R2, LDAP, 
AD DCs, UNIX or Linux 


DIFFICULTY: 

••••O 



I n "Integrating Windows with UNIX/Linux" 
(techxworld.com/community/blogs/features/ 
archive/2007/05/02/integrating-windows- 
with-unix-linux.aspx) and "Migrating NIS Domains" 
(techxworld.com/community/blogs/features/ 
archive/2007/07/06/migrating-nis-domains.aspx), I 
explain howto use Windows Server 2003 R2 ; s Identity 
Management for UNIX feature (or Windows 2003 ; s 
Services for UNIX—SFU—3.5) to easily integrate 
UNIX and Linux clients into a Windows environment, 
using Active Directory (AD) as the authentication 
store for user accounts. Identity Management for 
UNIX and SFU let your AD domain controllers (DCs) 
act as Network Information Service (NIS) Master and 
Slave servers and let your UNIX and Linux clients 
act as NIS clients. Depending on your configuration, 
users can use one set of credentials to log on to both 
Windows and UNIX/Linux clients. 

Although NIS is easy to set up and configure, 
many administrators prefer not to use it because of 
past security problems or because NIS isn't secure 
enough for their enterprise (especially if they use 
the UNIX crypt method instead of MD5 to protect 
passwords). UNIX vendors such as Sun Microsystems 
are moving away from NIS, instead favoring LDAP for 
authenticating users and accessing system-related 
data. Many security administrators believe LDAP is 
a more secure alternative than NIS. LDAP requires 
the use of a central directory on an LDAP server, 
which stores user and computer data. Most modern 
UNIX and Linux distributions support LDAP, AD can 
impersonate an LDAP directory, and each DC func¬ 
tions as an LDAP server. In this article I explain how 
to configure UNIX and Linux clients to use Windows 
2003 R2-based AD as an LDAP authentication solu¬ 
tion. Although you can use Windows 2003-based AD 
and SFU for LDAP integration, I don't discuss this 
solution. Nor do I discuss using AD to store informa¬ 
tion about hosts, services, protocols, etc., for use by 
UNIX and Linux hosts. (For information about using 
Windows 2003 with SFU, try searching the Microsoft 


TechNet Web site at technet.microsoft.com/en-us/ 
default.aspx.) 


Getting Started 

Before UNIX and Linux clients can use AD for authen¬ 
tication, you need to configure your Windows and AD 
environment. First, you must ensure that your UNIX 
and Linux clients have network connectivity to the 
AD DCs they'll use as LDAP servers. I recommend 
that you use standard network diagnostic tools such 
as Ping and Nslookup. If you aren't already doing so, 
use your Windows DNS servers as the DNS servers for 
your UNIX and Linux clients as well. 

Next, you need to raise your AD domain functional 
level to Windows 2003. From a DC, run the Microsoft 
Management Console (MMC) Active Directory Users 
and Computers snap-in (dsa.msc from the command 
line), right-click the name of your domain, and select 
Raise Domain Functional Level from the context-sen¬ 
sitive menu. 

The next step is counterintuitive. If you haven't 
already done so, you need to install the Identity Man¬ 
agement for UNIX feature on at least one Windows 
2003 R2 DC, and configure Server for NIS. Although 
you won't be using NIS, installing this optional 
software extends your forest's schema with neces¬ 
sary classes and attributes that support your UNIX 
and Linux-based users, as well as extends the Active 
Directory Users and Computers snap-in to manage 
them. 

Then, install the necessary software, as I 
describe in "Integrating Windows with UNIX/Linux" 
(techxworld.com/community/blogs/features/ 
archive/2007/05/02/integrating-windows-with- 
unix-linux.aspx), and configure NIS domains that 
represent your Windows domains. (You don't need to 
follow the instructions to configure NIS on your UNIX 
and Linux clients.) Installing Identity Management for 
UNIX on every DC is unnecessary, but I recommend 
installation on several DCs, to ensure that the Active 
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Linux clients to use Active Directory 


Directory Users and Computers extensions are avail¬ 
able to domain administrators. 

After configuring Server for NIS, you should 
use the MMC Services snap-in (services.msc from 
the command line) to disable this service on each 
DC on which you installed it. Right-click Server for 
NIS, select Properties, and select Disabled from the 
Startup Type drop-down list. If the service is running, 
click Stop. Click Apply, OK to close the dialog box. 
Disabling and stopping Server for NIS prevents a user 
from joining a UNIX system to the NIS domain that 
represents your Windows domain. 

Next, follow the instructions in "Integrating 
Windows with UNIX/Linux" (techxworld.com/ 
community/blogs/features/archive/2007/05/02/ 
integrating-windows-with-unix-linux.aspx) to con- 
figure the groups and user accounts that will be used 
by UNIX and Linux users, placing each into an NIS 
domain; assigning them a user ID (UID), login shell, 
and home directory; and placing them into a primary 
group (group ID—GID). Because of the differences 
in how various versions of UNIX and Linux use an 
LDAP server for authentication, I recommend that 
you place all of your UNIX and Linux users into one 
AD organizational unit (OU) or container. 

Finally, create a user account called a proxy 
account. This account needs no special permissions 
or privileges on the DCs; it will be used to per¬ 
form directory searches and lookups. Configure the 
account so that the password never expires and can't 
be changed. 

LDAP Security 

Before you can configure UNIX and Linux clients to 
use LDAP as an authentication method, you need to 
be aware of potential security problems and make 
the necessary changes to your Windows environ¬ 
ment. When users are authenticated on UNIX and 
Linux clients, those clients attempt to connect to 
LDAP servers and authenticate using the credentials 


provided by the users. If authentication to the LDAP 
server is successful, the user is authenticated to the 
UNIX or Linux client and his or her user information 
(e.g., home directory, UID) is downloaded. 

The first issue is that many LDAP servers permit 
a client to bind (the LDAP term for authenticate ) as 
an anonymous user and provide access to the infor¬ 
mation stored in the LDAP directory. Windows 2003 
disables anonymous binding except in limited cir¬ 
cumstances. Although you can permit clients to bind 
anonymously, I advise against this practice. If users 
can bind anonymously, they can search the directory 
looking for information that can be used to launch 
attacks against systems and networks. Instead, you 
need to create a proxy account (as I discuss in the pre¬ 
vious section) that's used by UNIX and Linux clients 
to bind to your DCs, so they can search the directory 
for user account information. 

The second issue is that when clients bind to an 
LDAP server they can, and often do, send credentials 
in clear text. Anyone with a packet sniffer can see cre¬ 
dentials pass over the network. The solution is to use 
Secure Sockets Layer (SSL) to encrypt the network 
communications between UNIX and Linux clients 
and LDAP servers. Before you can use SSL for secure 
communications, each LDAP server must have an 
SSL certificate issued by a Certification Authority 
(CA) that's trusted by both the client and server. Thus, 
you need a certificate for every DC that will be used 
by UNIX and Linux clients for authentication. You can 
purchase SSL certificates from a number of public 
CAs, or you can install and use Microsoft's Certificate 
Services. I recommend the latter option. 

Use Certificate Services to create an enterprise 
root CA. Installing Certificate Services is relatively 
easy because you don't need to purchase additional 
software or certificates. In addition, features such as 
autoenrollment make deployment of certificates that 
can enable LDAP over SSL (LDAPS) automatic. For 
more information about installing and configuring 
Certificate Services, see the Learning Path, page 52. 



1. Ensure that your UNIX 
and Linux clients have 
network connectivity to 
the AD DCs they’ll use as 
LDAP servers. 

2. Raise your AD domain 
functional level to 
Windows 2003. 

3. Install the Identity 
Management for UNIX 
feature and configure 
Server for NIS. 

4. Configure NIS 
domains that represent 
your Windows domains 
(although you won’t use 
NIS). 

5. Configure the groups 
and user accounts that 
will be used by UNIX and 
Linux users. 

6. Create a user account 
called a proxy account 
to perform directory 
searches and lookups. 

7. Obtain an SSL 
certificate for every DC 
that will be used by UNIX 
and Linux clients for 
authentication. 

8. Install Certificate 
Services to create an 
enterprise root CA. 

9. Configure your UNIX 
and Linux clients to use 

AD LDAP. 
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© LDAP Authentication 


Client Configuration 

Although some UNIX and Linux systems let 
you configure LDAP as an authentication 
method when you install them, I recom¬ 
mend that you use the following instructions 
to configure LDAP after system installation. 
The instructions I provide, which highlight 
three common UNIX and Linux variants (i.e., 
Solaris 10, FreeBSD 6.2, and openSUSE 10.2), 
also work for previously installed systems. 
Configuring LDAP on alternative UNIX/Linux 
versions is similar also. 

Solaris systems. Although Solaris 10 sup¬ 
ports the use of LDAP for user authentica¬ 
tion in the OS out-of-the-box, configuration is 
somewhat involved. The first step is to create a 
certificate store that will be used by LDAP, and 
install the root certificate of the CA that issued 
the SSL certificate used to enable LDAPS on 
DCs that will function as LDAP servers. The 
following commands should be run by root to 
accomplish this step. You need a file containing 
the Base64-encoded certificate of the root CA. 

/usr/sfw/bin/certuti L -N -d /var/ldap 
chmod 444 /var/ldap/* 

/usr/sfw/bin/certuti l -A -n “<Display name 
of root CA certificate>" \ 

-i </path/to/certificate> -t CT -d /var/ 
Idap 

Next, run the following command to test 
LDAPS connectivity between your Solaris sys¬ 
tems and each of your DCs: 
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Idapsearch -p 636 -h <FQDN> -P /var/ldap/ 

cert8.db \ 

-D cn=administrator,cn=users,dc=contoso, 

dc=com -w - \ 

-b dc=contoso,dc=com -v -s base 

1 (objectclass=*) 1 

Replace FQDN with the Fully Qualified 
Domain Name (FQDN) of the DC. The 
command assumes that your administrator 
account is in the default location in AD (i.e., 
the Users container under your domain). 
Replace all instances of dc=contoso,dc=com 
with the appropriate information for your 
domain. For example, if your domain is corp 
.fabrikam.local, you would use dc=corp,dc= 
fabril<am,dc=local. If the command runs suc¬ 
cessfully, the output will show configuration 
data for the domain. 

The next step is to configure Pluggable 
Authentication Modules (PAM) to use LDAP 
for authentication, account control, and other 
user management functions. The file you 
need to modify is /etc/pam.conf. Follow the 
directions in the EXAMPLES section of the 
pam_ldap(5) manual page to configure PAM to 
use LDAP for user authentication and account 
management. Web Listing 1 (www.windowsit 
pro.com, InstantDoc I D 97291) shows a sample 
pam.conf file for Solaris. 

Next, run the command ldapclient as root 
to configure Solaris to use LDAP to authenti¬ 
cate users. The command takes a lot of argu¬ 
ments, so I recommend that you create an 
executable shell script (e.g., /tmp/initldap.sh) 
and populate it with the contents of Web List¬ 
ing 2. You'll need to make some changes for 
your environment. Change defaultServerList 
on line 2 so that it contains the IP addresses of 
your DCs that Solaris will use as LDAP servers. 
You must use IP addresses because when the 
ldapclient command runs, it temporarily dis¬ 
ables the DNS client and /etc/hosts file lookup. 
On line 3, change defaultSearchBase to point to 
the root of your domain. On line 4, change the 
remainder of the line after passwd: to point to 
the OU or container in your AD that contains 
your user objects representing UNIX and Linux 
user accounts. On line 5, change the remainder 
of the line after group: to point to the OU or 
container that contains your group objects rep¬ 
resenting groups on UNIX and Linux clients. 
On line 6, change domainName so that it's the 
name of your domain in AD. On line 8, change 
the remainder of the line after proxyDN= to 


point to the account you created earlier, which 
is used by UNIX and Linux clients when bind¬ 
ing to DCs so that they can search AD. On line 
9, change the password to the password of the 
proxy account. Then, run the shell script that 
you just created. If the script works, you'll see 
the system being configured and you'll receive 
the message System successfully configured. 
The proxy username and password specified 
in the shell script as arguments to the ldapclient 
command are written to files in the folder /var/ 
ldap. Only root needs access to this folder, so 
you should use chown and chmod to set own¬ 
ership and permissions to the folder to restrict 
access and thus prevent users from accessing 
the files containing credentials. 

The last step is to edit the file /etc/nsswitch 
.conf, to reflect your specific environment. 
When ldapclient runs, it overwrites this file, 
on the assumption that you'll use LDAP for 
all lookups, including hosts, services, and pro¬ 
tocols. Test your setup by running exec login 
from the command line, or by logging in from 
the GUI logon screen. 

FreeBSD systems. FreeBSD doesn't come 
with an LDAP client or the ability to use LDAP 
for user and group lookups—although the 
Ports collection includes the necessary soft¬ 
ware. Download, build, and install nss_ldap, 
which you can find in /usr/ports/net/nss_ldap, 
and pam_ldap, which you can find in /usr/ 
ports/security/pam_ldap. For more informa¬ 
tion about the Ports collection, go to the Free¬ 
BSD Project Web site (www.freebsd.org) . 

After you've installed the prerequisite soft¬ 
ware, you need to import the root CA certificate 
of the public key infrastructure (PKI) that 
issued the certificates for your DCs acting as 
LDAP servers. To do so, place a copy of the 
Base64-encoded root CA certificate into your 
OpenSSL certificates directory (e.g., /usr/local/ 
ssl/certs) and run the following command, 
replacing RootCAFile.cer with the name of the 
file containing the root CA certificate: 

In -s RootCAFile.cer 'openssl x509 -hash 
-noout -in RootCAFile.cer 1 .0 

Next, configure your OpenLDAP client 
global configuration file, which you can find at 
/usr/local/etc/openldap/ldap.conf. Web List¬ 
ing 3 contains the contents of a typical configu¬ 
ration file. Change the BASE entry to point to 
the base of your domain, tree, or forest. Change 
the URI entry so that it lists your DCs. You can 
use IP addresses, hosts in the /etc/hosts file, or 
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DNS FQDNs. Make sure you prefix each with 
ldaps: //, to ensure that LDAPS is used. The TLS_ 
CACERTDIR entry should point to the location 
of your OpenSSL root CA certificates directory 
(e.g., /usr/local/ssl/certs). Make sure that the 
ldap.conf file is world-readable. Test your 
configuration by running the following com¬ 
mand: 

Idapsearch -D cn=administrator,cn=users,dc= 

contoso,dc=com -W -s base 

Replace dc=contoso,dc=com with your domain 
information. You'll be prompted for the admin¬ 
istrator password. If everything is configured 
correctly, you'll see information returned from 
a DC acting as an LDAP server. 

Then, configure the LDAP configuration 
file used by PAM. This file is also named ldap 
.conf; you can find it in /usr/local/etc/ldap 
.conf. Make sure you don't confuse the two 
LDAP configuration files. Web Listing 4 con¬ 
tains a sample PAM ldap.conf file. Change 
line 1, replacing the base in the sample with 
your domain's base. Change line 2 so that 
one or more of your DCs is listed. Remember 
to prefix each with ldaps://. In line 3, change 
the sample account name listed for the proxy 
account you created to support UNIX and 
Linux clients; specify its password in line 4. 
In lines 5 and 6, specify the container or OU 
that your user accounts are stored under. In 
line 7, specify the container or OU that your 
groups are stored in. In line 11, specify the 
OpenSSL folder that your root CA's certificates 
are stored in. Only root needs read access to 
this file. Ordinary users shouldn't have access, 
because the file contains the credentials of the 
proxy account. 

Next, configure PAM to use LDAP. Edit the 
file /etc/pam.d/system so that it includes the 
lines in Web Listing 5 in the appropriate sec¬ 
tions of the file. 

Then, edit the file /etc/nsswitch.conf so 
that the group and passwd entries look like 
Web Figure 1. Finally, configure the file nss_ 
ldap.conf, which you can find in /usr/local/ 
etc/ldap.conf. The LDAP configuration infor¬ 
mation in this file is used by the name service 
lookup provider functions when looking for 
users and groups using LDAP. In most cases 
this file is exactly the same as the ldap.conf file 
used by PAM, so you can use a symbolic link 
to point to the PAM ldap.conf file. Create the 
symbolic link by going to the command line 
and entering the following command: 


cd /usr/Local/etc 

In -s Ldap.conf nss_ldap.conf 

You can test your configuration by using one of 
FreeBSD's virtual consoles (obtained by press¬ 
ing Alt+F2 through F8) and trying to log on as 
a user configured for use by UNIX and Linux 
clients. If a configuration problem exists, errors 
will be logged to the console (press Alt+Fl to 
switch back to the console to check for errors), 
as well as to /var/log/messages. 

openSUSE systems. openSUSE, like most 
modern versions of Linux, includes OpenSSL 
and LDAP client software by default. What's 
missing, however, is support for using LDAP 
to authenticate users. The openSUSE distri¬ 
bution CD-ROM contains the nss_ldap and 
pam_ldap packages, which are necessary for 
the solution to work. Install these packages 
before proceeding. 

The first step in configuring an openSUSE 
system is to import the certificate of the root 
CA of the PI<3 that issued the SSL certificates 
to your DCs. Copy the Base64-format root CA 
certificate to /etc/ssl/certs, and run the follow¬ 
ing command: 

In -s RootCAFiLe.cer 'openssl x509 -hash 

-noout -in RootCAFiLe.cer '.0 

Next, you need to edit the file /etc/open 
ldap/ldap.conf. This file has the same format 
as the ldap.conf file used by FreeBSD, which 
Web Listing 3 shows. Follow the previous 
instructions for FreeBSD when customizing 
this file. The only difference between FreeBSD 
and openSUSE is the location of the directory 
in which root certificates are stored. Update the 
configuration file so that TLS_CACERTDIR is 
configured as /etc/ssl/certs. Test the configura¬ 
tion by running the following command: 

Ldapsearch -D cn=administrator,cn=users,dc= 

contoso,dc=com -W -s base -x 

The only difference between this command 
and the command used with FreeBSD is the 
addition of the -x flag, which directs ldapsearch 
to use simple authentication to the LDAP 
server(s) in the configuration file. This is neces¬ 
sary because OpenLDAP on openSUSE is built 
with Simple Authentication and Security Layer 
(SASL). The -x option instructs the LDAP cli¬ 
ent to use a simple bind, using the credentials 
specified by the user. 

The next step is to edit the ldap.conf file 
used by PAM and used by the Name Service 


Switch (NSS). On openSUSE and similar Linux 
systems, the file is in the /etc directory. As with 
the OpenLDAP configuration file, the format 
is the same as that used by FreeBSD. Use the 
file in Web Listing 4 as the basis for your open¬ 
SUSE system, and follow the previous FreeBSD 
instructions to customize the file. Add the fol¬ 
lowing line to the file: 

sasL_secprops maxssf=0 

As with FreeBSD, you need to update the 
file /etc/nsswitch.conf. Add ldap to the group, 
shadow, and passwd entries so they look like 
Web Figure 2. 

Next, configure PAM to use LDAP. Doing so 
is simple on openSUSE; you don't even need to 
edit files. Simply run the following command: 

pam-config -a —Ldap 

Finally, if you use the Name Service Cache 
Daemon (nscd) you need to stop and restart it 
for the changes to take effect. Run the following 
commands: 

nscd -K 
nscd 

You can test your setup by running the com¬ 
mand exec login within a terminal window and 
attempting to log on as a user who is configured 
in AD with UNIX attributes using Identity Man¬ 
agement for UNIX. If everything is configured 
correctly, you'll be able to log on as the user. 

A New Standard 

LDAP is quickly becoming the new standard for 
user authentication, edging out NIS. (For infor¬ 
mation about LDAP's limitations, see the Web- 
exclusive sidebar "LDAP Limitations," www 
.windowsitpro.com, InstantDoc I D 97292. ) LDAP 
is more secure and is supported by most UNIX 
and Linux systems, as well as by many enterprise 
applications that run on these platforms. LDAP 
can also be used for more than simply authenti¬ 
cation. An LDAP database can store information 
about hosts, protocols, services, and applica¬ 
tions. Using LDAP will enable your enterprise to 
grow securely. ^ 
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The replacement of a manual business process with an automated 
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By June 30, 2008, every US government 
agency network backbone must be able to 
handle IPv6 traffic. 

A number of IPv6 task forces are in opera¬ 
tion around the world. You can find details 
about many of them at www.ipv6tf.org. 

Most higher academic institutions in the 
western hemisphere and much of Asia have 
been using IPv6 since 2003. 



BY JOHN HOWIE 


Configure IPv6 
in your network- 
even if your routing 
infrastructure 
doesn’t yet 
support it 


s I maintained in "The Inevitability of IPv6, Part 1" 
(InstantDoc ID 96880) , even if you have no immediate 
plans to migrate to IPv6 in your enterprise, you need to 
be ready for it, and you need to understand how Win- 


A _ 

products and updates to existing products do or will 
ship with IPv6 enabled and running out of the box. If you communicate 
regularly with business partners over the Internet, you might be forced 
to tackle IPv6 because many companies are already beginning to make 
the transition. Increasingly, governments—including the US Govern¬ 
ment—are mandating its use. 

In Part 1,1 described how Microsoft is supporting IPv6 in its product 
line, and I provided an overview of how IPv6 addressing works. Be sure 
you're well-versed in that article's foundational information before taking 
the plunge into this month's discussion, which is Part 2 of a three-part 
series. Now, without further ado, let's investigate howto install and con¬ 
figure IPv6 in your Windows network and how to use IPv6 to communi¬ 
cate—even if your routing infrastructure doesn't yet support it. 


Inst*. < g IPv6 on Windows 2003 and XP 

As I explained in Part 1, Windows Vista comes with IPv6 installed and running, as will 
Windows Server 2008 when it ships. However, if you're running Windows Server 2003 
and Windows XP, you’ll need to manually install and configure IPv6. Let's get to it! 

To install the IPv6 protocol on the earlier OSs, select the adapter on which you 
want to use IPv6, open its Properties dialog box, and click Install to open the Select 
Network Component Type dialog box. You can install Client, Server, and Protocol 
components. Select Protocol and click Add to open the Select Network Protocol 
dialog box, select Microsoft TCP/IP version 6 from the options, and click OK. Figure 1, 
page 56, shows the dialog boxes on a Windows 2003 system. You don't need to visit 
each machine to install IPv6. You can simply run the Netsh Interface IPv6 Install 
command from a startup script or within a package that you can distribute to each 
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Figure 1: Installing IPv6 onto Windows 2003 


c:v Command Prompt 
Mindows IP Configuration 


Ethernet adapter Local Area Connection: 


-!□! x| 


B 


Connection-specific DNS Suffix 

IP Address. 

Subnet Mask . 

IP Address. 

Default Gateway . 


172.21.21.8 

255.255.255.0 

fe80: :203:ffff :fec6:dac>;5 

172.21.21.1 


[Tunnel adapter Teredo Tunneling Pseudo-Interface: 


Connection-specific DNS Suffix 

IP Address. 

Default Gateway . 


fe80::ffff:ffff:fffdx4 


[Tunnel adapter Automatic Tunneling Pseudo-Interface: 


Connection-specific DNS Suffix 

IP Address. 

Default Gateway . 


fe80::5efe:172.21.21.8*2 


C:\Documents and SettincrsSAdministrator>_ 


Figure 2: Ipconfig output 


system—perhaps via Microsoft Systems Man¬ 
agement Server (SMS) or Group Policy. 

Once you've installed IPv6, you'll notice 
that—unlike IPv4—you can't configure the 
protocol's properties from the network con¬ 
nection's Properties dialog box. With IPv4, 
you would configure an interface with a static 
IP address or configure it to use DHCP to get 
an address from a DHCP server. With IPv6, 
that's not the case. As I described in Part 1, an 
IPv6 unicast link-local address can be derived 
from the NIC's 48-bit MAC address. Windows 
2003 and XP automatically use this process to 
assign a link-local IPv6 address to an interface. 
This address, which begins with FE80::/64, 
can be used to communicate with every other 
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host running IPv6 on the same link but can't 
be used to communicate with hosts through 
a router. IPv6 routers never route traffic with 
unicast link-local addresses. 

A word of caution here: If you use Microsoft 
Virtual Server or another virtualization suite 
to host virtual machines (VMs), you need to 
make sure that each VM has a unique MAC 
address for each virtual NIC. If you don't, each 
node running IPv6 will have the same IPv6 
address—and that will cause you problems. 

You can determine a node's unicast link- 
local address by running Ipconfig from the 
command line. Figure 2 shows the Ipconfig 
output on a Windows 2003 system. You'll see 
three unicast link-local addresses; ignore the 


addresses for the Automatic Tunneling and 
Teredo adapters. (I'll cover these later.) The 
%n component (where n is a number) at the 
end of each IPv6 address refers to the NIC or 
adapter to which the address is assigned. Win¬ 
dows uses numbers to identify both physical 
and virtual network interfaces or adapters. The 
adapter number is important for reasons that I 
will discuss shortly. 

If you run Getmac from the command 
line, you'll see how the MAC address for each 
NIC has been used to build the IPv6 unicast 
link-local address. You can verify that IPv6 is 
working on a node by using the Ping command 
to test the IPv6 loopback address, which is ::1. 
You can use Ping to verify communication 
with other IPv6 nodes if you know their IPv6 
unicast link-local addresses. However, there's 
a trick to successfully using Ping. When you 
specify the IPv6 address of the node for which 
you want to test connectivity, you must append 
your node's adapter number. For example, in 
Figure 2, the unicast link-local address of 
the Local Area Network adapter has the 
suffix %5, meaning that the address is 
bound to adapter number 5. To ping the 
node with the unicast link-local address 
fe80::203:ffff:feab:3045, you would type 
in the command 

ping fe80::203:feab:3045%5 

As quick and easy as it is to get 
IPv6 up and running with unicast link- 
local addresses, an enterprise still has to 
take several steps to build a useful IPv6 
network. Unicast link-local addresses 
won't work in routed networks and 
can't be used over the Internet. Routable 
addresses need to be assigned to hosts, 
routers need to be configured, and DNS 
needs to be configured to enable map¬ 
ping of FQDNs to IPv6 addresses. 


Configuring Windows with 
Routable IPv6 Addresses 

Configuring Windows with routable IPv6 
addresses can be easy or difficult, depending 
on your enterprise's circumstances. Typically, 
you configure a host to obtain an IPv4 address 
from a DHCP server, or set a static address. 
As I mentioned earlier, there's no means to 
configure IPv6 from a network connection's 
Properties dialog box in Windows 2003 or XP. 
(Vista and the forthcoming Server 2008 do 
let you set the IPv6 address in this fashion.) 
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you’ve been paying attention to Microsoft 
marketing lately, you’ve heard a lot about 
a concept called Unified Communications 
(UC). I’ve talked with some people who weren’t 
sure what UC was all about. Is it a new product or 
line of products? The answer to that question is both 
simple and complex, but at its core, UC is about 
Microsoft’s recognition that communication plays 
an important role in the modern workplace. 

Just for a minute, think about the adoption curves 
for new technology like email and instant messag¬ 
ing (IM). Email was around for many years as an 
internal communication channel (often subordi¬ 
nate to the telephone) before the Internet allowed 
companies to use it as a way to talk to business 
partners, vendors, and customers. The IM revolu¬ 
tion happened more quickly. Compared to the time 
it took for email adoption, it wasn’t long at all from 
the introduction of free public IM clouds to when 
companies began adopting commercial IM solu¬ 
tions for their users. 

At his keynote address at the Microsoft Unified 
Communications Launch event in October 2007, 

Bill Gates pointed out that the average worker 
now has multiple communications identities associ¬ 
ated with him, such as a corporate email address, a 
corporate IM address, a desk phone number, and a 
mobile phone. Managing the contact data for these 
communications channels alone can be a big job. 
Microsoft’s UC solution is aimed at redefining the 
way information workers think about communicat¬ 


ing with each other. Rather than trying to decide if 
I’m at my desk and can answer an IM versus need¬ 
ing to dial down my list of contact numbers, my 
co-workers should just be able to contact me and 
let our computers and devices negotiate the best 
connection method. We should also be able to seam¬ 
lessly move our conversation between different 
modes and include other people as necessary. 

As a result of this new way of viewing different 
communications mediums as different facets of a 
unified communications strategy, Microsoft has made 
Exchange Server 2007 and Office Communications 
Server (OCS) 2007 the cornerstones of its UC fam¬ 
ily. I’m going to explain what the other pieces are, 
how they all work together, and tell you the basic 
concepts you need to know to put them to effective 
use in your environment. 

What Gets Unified? 

To start unraveling the UC puzzle, I want to step 
through the different pieces you’ll need in your own 
deployment and talk about what each piece con¬ 
tributes to the overall solution. Figure 1 gives us an 
overall look at a typical UC deployment. 

The typical Microsoft UC deployment has the fol¬ 
lowing components: 

• Exchange Server 2007 to provide Unified 
Messaging functionality, inbound fax support, and 
Outlook Voice Access; Outlook 2007 to provide a 
full-featured mailbox client. 

• Office Communications Server 2007 to pro¬ 
vide presence, IM, and VoIP capabilities; Office 




Figure 1: Unified Communications components 
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Communicator 2007 to provide a single client for all 
types of communication. 

• A Voice over IP (VoIP) system or Private Branch 
eXchange (PBX) to provide telephony and connec¬ 
tivity with the Public Switched Telephone Network 
(PSTN); you may need additional gateway devices. 

• User access devices such as desktop computers, lap¬ 
tops, Windows Mobile Pocket PCs, and Windows 
Mobile smartphones to provide “anywhere” connec¬ 
tivity; new UC-enabled devices offer better integra¬ 
tion and functionality. 

As you may notice, several of these pieces are 
Microsoft applications; others are not. As you may 
have guessed, some of them are optional, even though 
Microsoft’s UC vision definitely extends to all these 
areas of functionality. Let’s dig a bit deeper and find 
out exactly what each of these pieces provides. 

OCS 2007 and Office Communicator 2007 

OCS 2007, the latest incarnation of Live 
Communications Server, is definitely the centerpiece 
of the Microsoft’s UC strategy. Most people who are 
familiar with the LCS pedigree still think of OCS as 
“just” an IM/presence solution. In reality, Microsoft’s 
decision to use the Session Initiation Protocol (SIP) as 
the basis of LCS (and now OCS) meant that it could 
begin to offer some interesting telephony integra¬ 
tion. SIP has become one of the major components 
in modern VoIP systems and offers the ability to easily 
integrate and control text, audio, and video streams all 
in a single session. 

As a result, OCS 2007 has gone far beyond its roots 
in text-based IM.To make it even more exciting, 
Microsoft added the Web-based Web conferencing 
capabilities of Live Meeting. As a result, OCS is now 
capable of acting as the centerpiece of a full-featured 
VoIP deployment or acting in tandem with your exist¬ 
ing PBX to provide additional capabilities: 

• Permit multi-party chat sessions. Each participant 
can easily and seamlessly add and remove audio and 
video streams to the conversation as appropriate. 

• Allow inbound phone calls to your extensions to be 
answered by OCS, routed to where the user is logged 
in, and completely handled by software. 

• Allow outbound phone calls. Users select a contact 
from their list (or Active Directory) and initiate a 
voice call from their IM client. 

• Escalate existing chat sessions to ad-hoc Live 
Meeting sessions, allowing application sharing and 
other Live Meeting features. 

• Log into OCS - and get all of this functionality 

— from beyond the firewall, without requiring a VPN 
connection. 


To get the most out of OCS 2007, Microsoft offers the 
Communicator 2007 client. Communicator integrates 
with Outlook (when present) and your Exchange 
mailbox, giving you the ability to save your text chat 
histories in the Conversation History folder of your 
mailbox. Communicator uses the microphone and 
camera devices connected to your computer, allowing 
you to use existing hardware for your conferencing. It 
also provides full softphone capabilities, allowing it to 
answer and place VoIP calls. 

Exchange Server 2007 Unified Messaging and 
Outlook 2007 

Exchange Server might at first seem to be an odd 
application to be part of Microsoft’s UC strategy, 
but it’s really the new Unified Messaging (UM) role 
that we’re interested in. UM allows Exchange to step 
beyond being a messaging and collaboration server 
(albeit a rich one) to also acting as a unified inbox 
for faxes and voicemail as well. A UM server provides 
integration with SIP-based PBX systems, allowing it to 
provide the following capabilities: 

•You can establish multiple auto-attendants, handling 
both DTMF touch-tone menu selection as well as 
voice recognition. 

• OCS doesn’t provide any voicemail capability; 
although OCS has all the other functionality for a 
pure software VoIP deployment, you need Exchange 
2007 (or some other voicemail product) for your 
voicemail needs. Incoming faxes and voicemails are 
automatically delivered to the recipient’s inbox. 

• Exchange 2007, like OCS, is SIP-based and supports 
the Direct In-Dial (DID) capability offered by most 
telephony providers. With DID you can give each 
user his or her own direct phone numbers for voice 
and fax, allowing the system to determine the proper 
recipient for each call. 

• Exchange 2007 UM provides OutlookVoice Access 
(OVA), which allows users to call in from any 
phone and access mailbox, calendar, and contact data 
through voice recognition. Instead of fumbling with 
touch-tone menus, your users simply speak com¬ 
mands to OVA, such as “Voicemail,” “Calendar,” or 
“Email,” and listen as OVA reads the appropriate 
content back to them. 

For full OCS 2007 integration, you must deploy 
Exchange Server 2007 SP1. 

Outlook 2007 is, of course, the preferred email client 
for Microsoft’s UC strategy. While it doesn’t provide a 
lot of new major features, it supports new technolo¬ 
gies such as the Windows Desktop Search engine 
that make it easier to find the records of your com¬ 
munications, such as IM conversation histories from 




Communicator or the annotations you made to a voice- 
mail message. It also provides APIs for Communicator to 
access your mailbox even when Outlook isn’t started. 

Voice Over IP and Traditional Phone Systems 

If you’re like the vast majority of companies out there, 
you have an existing phone system deployed. There are 
three main possibilities: 

• A traditional PBX system. This system takes in one or 
more phone lines, either in analog (B-l) or digital (T- 
1 or PRI) format, and provides a central switch. You 
then have one or more extension phone stations that 
plug into the system using one or more pairs of copper 
phone wiring. PBX systems can offer integrated voice- 
mail and other features, such as tying together multiple 
locations into the same logical phone system. 

• A VoIP PBX system. For the most part, this is the 
same thing as a traditional PBX; the big change is that 
instead of using dedicated phone wiring to connect the 
extension stations with the central switch, a VoIP sys¬ 
tem uses a protocol such as SIP to communicate over 
TCP/IP networking. Each switch unit and extension 
station thus requires its own IP address. 

• No sort of system. This is common in smaller business; 
you have multiple incoming phone circuits from the 
phone company, each with one or more extension sets 
on the line. The advantage here is that you don’t have 
to buy dedicated phone equipment; the disadvantage 
is that you’re stuck with the features your phone com¬ 
pany gives you. 

To use your phone system with OCS and Exchange, 
you’ll need them to speak SIP — and the right flavor of 
SIP. There are two variants: SIP transported over UDP 
(SIP-UDP) and SIP transported over TCP (SIP-TCP). 

To take advantage of Microsoft UC, you need to support 
SDP-TCP; if your devices use SIP-UDP, you’ll need a 
SIP router to translate. 

Most traditional PBXs don’t speak either variant of SIP; 
for these, you’ll need to get a SIP gateway. We’ll talk 
about those in a moment. Many VoIP PBXs already 
speak SIP and may be capable of supporting SIP-TCP 
after a firmware or software upgrade; check with your 
vendor. 

User Access Devices 

There are several types of user access devices to provide 
the final piece of the UC puzzle. These devices all allow 
your users to do more communicating in new ways: 
•Windows Mobile devices give you UC on the go.As 
long as you’re connected to a cellular provider or the 
Internet, Pocket Outlook and Pocket Communicator 
allow you to access Exchange and OCS from wher¬ 
ever you’re at. The new codecs used by Exchange and 


OCS are specifically designed to be low-bandwidth 
and usable from the speakers on mobile devices. For 
best results, your devices should be running Windows 
Mobile 6 or later. 

• Tanjay and Catalina phones, co-designed by Microsoft 
and various hardware vendors, give you access to phone 
capabilities in new ways. Tanjay devices use a touch 
screen that gives you a Communicator-like experience 
for handling audio conversations without the traditional 
phone keypad or buttons. Catalina devices give you a 
traditional handset, again without a keypad or buttons, 
which plugs into your computer via USB. 

• The RoundTable conferencing peripheral integrates 
with Communicator and Live Meeting. Designed for a 
conference room, this combination speakerphone and 
360-degree camera allows meeting participants to see a 
roomful of attendees at once in panorama view while 
also having the ability to focus on the current speaker 
- automatically handled by the RoundTable device. 

None of these devices are required - but they make UC 
even easier to use. 

Gateway Devices 

I briefly mentioned the concept of a SIP gateway when 
talking about PBXs previously. As stated, gateways are 
used to translate non-SIP systems into SIP. Both OCS 
and Exchange deal exclusively with SIP connections; 
they have no idea how to handle the world of traditional 
telephony, either analog or digital. 

If you have the third type of PBX — that is, none — then 
you’ll definitely need a gateway device. In this case, the 
gateway directly takes in your phone lines (however 
they’re presented to you by your phone company) and 
performs the necessary translations into SIP-TCP. These 
devices can often be low-cost, allowing even a small 
company to gain the benefits of UC without a large 
investment in PBX or VoIP PBX hardware. 

Conclusion 

Microsoft’s UC strategy is simple to understand: con¬ 
nect to the person, not their IM client or mobile phone. 
Bill Gates presented a vision of phones without buttons 
or keypads, where the computers and networks do the 
work of figuring out the best way for people to commu¬ 
nicate. With OCS 2007 and Exchange 2007, you don’t 
yet have completely thought-free “anywhere” com¬ 
munication, but you’ll come closer to it than you ever 
thought possible. 


Devin Ganger is a messaging architect for 
3sharp, an Exchange MVP, and co-author of The 
Exchange Server Cookbook (O’Reilly and Associates). 
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Additionally, there's currently limited 
support for using DHCP with IPv6. 
There's no supported IPv6-capable 
DHCP server available for Windows 
2003 from Microsoft, and you'll have to 
wait for Server 2008 for an IPv6-capable 
DHCP server. 

As I discussed in Part 1, a routable 
IPv6 address can be a unicast site-local 
or globally aggregatable address. A 
site-local address is similar to private 
IPv4 addresses that fall in the range 
10.0.0.0 to 10.255.255.255, 172.16.0.0 
to 172.31.255.255, and 192.168.0.0 
to 192.168.255.255, and begin with 
FEC0::/48. Each site-local address has 
a 16-bit subnetwork identifier, followed 
by a 64-bit interface identifier. A site 
can have as many as 65,535 subnetworks. The 
interface identifier is derived from the NIC's 
MAC address, just like a link-local address. 
Like the IPv4 equivalent, site-local addresses 
can't be used to communicate over the Inter¬ 
net; thus, site-local addresses are useful if 
you want to use IPv6 internally. Without an 
IPv6-capabale DHCP server, configuring a 
site-local address for a node is accomplished 
either as a manual, per-machine process using 
Netsh or, more usually, through address auto- 
configuration. 

Auto-configuration is a means by which 
nodes can determine both site-local and glob¬ 
ally aggregatable addresses from IPv6 rout¬ 
ers on the same link—that is, routers that 
can be pinged using their link-local address 
from a node. When a node starts or when 
the network interface is reset (e.g., a pre¬ 
viously disconnected laptop connects to a 
corporate network), the node will send out a 
router-solicitation message on each network 
interface—in essence, a request for routers 
on the same link to make themselves known. 
Properly configured IPv6 routers will respond 
with a router advertisement address, consist¬ 
ing of a site-local prefix address in the form 
of fec0:0000:0000:subnetid::/6A. The node will 
configure each interface on which it receives a 
router advertisement in response to a router- 
solicitation message with an IPv6 address 
consisting of the site-local prefix received from 
the router and the 48-bit MAC address of the 
interface the solicitation was sent over and the 
advertisement received. 

Figure 3 shows the output of the Ipconfig 
command on Vista, clearly identifying the site- 
local address assigned to the Local Area Con¬ 


nection adapter. Neither Windows 2003 nor XP 
differentiates between link-local and site-local 
addresses and instead just displays them as 
IP Address. Windows will configure the IPv6 
router to be the default gateway for IPv6 traffic. 
Assuming your routers have accurate routing 
IPv6 tables, you don't need to configure your 
Windows nodes further. 

To verify that you can connect with IPv6 
nodes not on the local link, you can use Ping 
and specify site-local addresses instead of link- 
local addresses. You don't need to append the 
IPv6 address of the destination node with the 
adapter number of an interface when using 
site-local addresses, because each address 
should be unique across all your subnets— 
assuming your routers are configured correctly 
with subnetwork identifiers. 

Connectivity with ISATAP 

Ifyour network doesn'thave IPv6-capable rout¬ 
ers, it's still possible to use IPv6 in your enter¬ 
prise to facilitate communication between 
nodes on different links, by using a technology 
called Intra-Site Automatic Tunnel Addressing 
Protocol (ISATAP), which is configured auto¬ 
matically for you. You can use ISATAP only on 
nodes running both IPv4 and IPv6. If you look 
back at Figure 2, you'll see the entry for the 
Automatic Tunneling adapter. This is the ISA¬ 
TAP-configured IPv6 address. (You can identify 
it in Vista by running the command Ipconfig 
/all and looking for a tunnel adapter whose 
description begins with the name isatap.) 

Every Windows OS with IPv6 enabled and 
an IPv4 address will automatically create an 
ISATAP address. ISATAP addresses take the 


form ::5EFE :w.x.y.z, where w.x.y.z is the host's 
IPv4 address. ISATAP addresses can have any 
prefix, including a link-local address, site-local 
address, or a globally aggregatable address, 
although a prefix that is a site-local or globally 
aggregatable address implies that IPv6 routing 
is possible, and ISATAP isn't necessary. For this 
reason, ISATAP addresses on Windows use the 
link-local prefix fe80::. 

One IPv6 node can reach another by using 
its ISATAP address, even if it's on a different 
link and there's no IPv6-capable router con¬ 
necting the links. ISATAP is a great transition 
technology, letting you use IPv6 on IPv4 net¬ 
works when there's no support at the router or 
gateway level. In Part 3 of this series, I'll further 
discuss ISATAP and show you how to use it to 
communicate over the Internet. 

DNS and IPv6 

With site-local IPv6 addresses allocated to 
your nodes, each can use IPv6 instead of IPv4 
to communicate with the other. Member serv¬ 
ers running Windows 2003 R2 and XP and 
Vista clients will register their site-local IPv6 
addresses in DNS, if possible. IPv6 addresses 
are stored as AAAA records. (IPv4 addresses 
are stored as A records.) DCs, even if they're 
IPv6 nodes, don't register AAAA records for 
themselves in DNS. You can always use the 
DNS Microsoft Management Console (MMC) 
snap-in to manually add AAAA records for IPv6 
nodes, including non-Windows hosts. Note 
that if you replicate your DNS zones containing 
AAAA records to non-Windows 2003 servers, 
you might encounter difficulties because not 
all DNS servers support AAAA records. 
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Figure 4: Using Nslookup to query a host’s IPv4/IPv6 addresses 


You can use the Ping command to test 
lookups of IPv6 addresses for FQDNs; simply 
specify the FQDN of the target host on the 
command line. The address retrieved and 
subsequently used in the ICMP echo request 
should be an IPv6 address. You can also use 
the command-line tool Nslookup to query 


DNS for AAAA 
records by sim¬ 
ply typing set 
type=AAAA into 
Nslookup before 
typing the name 
of the server for 
which you're 
querying. Figure 
4 shows the use of 
Nslookup to query 
for a Web server's 
IPv4 address (the 
default), followed 
by a request for 
the IPv6 address. 

Although an 
IPv6 address 
might be available for a host in DNS, there's no 
guarantee that the network services running 
on it will support IPv6. For this reason, I don't 
recommend that you create AAAA records for 
your Windows 2003-based DCs; many of the 
services that run on a DC don't yet support 
IPv6. 


In the Thick of It 

So, now you know how to install IPv6 on your 
DCs, member servers, and clients running 
Windows 2003 R2 and XP SP2. You also know 
how to test link-local connectivity between 
IPv6 nodes, and how nodes use auto-configu- 
ration in communication with IPv6-capable 
routers to automatically assign site-local IPv6 
addresses. 

In Part 3, I'll describe how to configure 
globally aggregatable addresses so that your 
nodes can communicate over the Internet 
with other IPv6 nodes, as well as a means to 
facilitate interoperability with IPv4 nodes and 
to run IPv6 over IPv4 when your ISP doesn't 
support IPv6. Stay tuned! ^ 
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Windows Vista’sWIRELESS 

SECURITY 


Let vour users 


Let y 

GO WIRELESS 

without worries 



A lmost every time I advise some¬ 
one to use a wireless rather than 
wired networking solution for 
their small office/home office 
(SOHO) or their home, I get a 
quizzical look and the inevi¬ 
table question "Is that secure?" Admittedly, 
security is a big concern on wireless networks 
because wireless networks are more open to 
anonymous access than physical networks are. 

However, my typical response is that although 
wireless can be nonsecure, it doesn't have to 
be—it all depends on how much you care about 
security. The reality is that some people simply 
don't care about their computer security, per¬ 
haps because of lack of knowledge or because 
they think they have nothing to lose even if 
someone does break into their network. But if 

you're reading Windows IT Pro, you undoubtedly do care about security. 

Windows Vista is a very wireless-friendly, as well as a very secure, OS. In this article, I explain 
how to use Vista's wireless networking features to enhance wireless security from the client side. 
These features let users configure more secure wireless networks and achieve better wireless 
functionality than in previous OSs. 


Wireless Administration 

In previous versions of Windows, hardware vendors typically provided their own tools for man¬ 
aging wireless networks. This method was challenging for both users and support technicians 
because users needed to learn how to use different vendor-specific wireless software depending 
on the type of computer or network adapter they had, and support personnel had to manage these 
various clients with different tools—mostly in a decentralized manner. Vista includes wireless 
client software by default. This software is hardware-vendor independent, and the interface for 
administering wireless networks is the same for both users and administrators. This single point of 
administration offers a new level of consistency for wireless clients and makes managing wireless 
security easier than ever before. 

For additional functionality, hardware vendors and developers can use Microsoft's Extensi¬ 
ble Authentication Protocol (EAP) architecture, called EAPHost. EAPHost is basically a frame¬ 
work for creating authentication mechanisms that Vista doesn't support natively. Hardware 
vendors or developers can use EAPHost to create a plug-in for an existing Vista wireless 
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Figure 2: WPA2-Personal security protocol 


client, in order to provide additional authen¬ 
tication or encryption functionality, instead 
of writing a complete software package. This 
additional authentication functionality is avail¬ 
able to users through the Vista wireless client 
(rather than in a separate application as with 
previous versions of Windows). 

Connecting to Wireless 
Networks 

One of Vista's most significant improvements 
to wireless security is that the wireless client 
discloses much less information about config¬ 
ured wireless networks. In previous versions 
of Windows, such as Windows XP, the client 
periodically broadcasts the Service Set Identi¬ 
fier (SSID) names of all the configured wireless 
networks. Malicious users can take advantage 
of this behavior by catching these broadcasts, 
then tricking a client into connecting to a false 
Access Point (AP), using an SSID name that 
matches the SSID name of a real wireless net¬ 
work that's configured on the client, in order to 
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obtain private informa¬ 
tion such as a username 
and password for con¬ 
necting to a real AP. 

In Vista, a wireless cli¬ 
ent doesn't broadcast all 
configured SSID names. 
Instead, the client broad¬ 
casts only those SSIDs 
that are explicitly config¬ 
ured as hidden and pre¬ 
ferred networks, and only 
if necessary (e.g., when a 
user initiates a connec¬ 
tion to configured wire¬ 
less networks). If a user 
doesn't have any hidden 
networks configured, no 
broadcasts will occur from 
the client side, which greatly 
enhances security. (Note 
that using hidden SSID 
networks isn't a recom¬ 
mended practice because 
doing so provides only an 
illusion of security. Even if 
your AP doesn't broadcast 
SSID names, your clients 

do. Because you have many 
more clients than APs, and 
because clients are mobile 
whereas APs are static, a 
malicious user will more likely discover a hid¬ 
den SSID name by sniffing client broadcast traf¬ 
fic rather than obtaining the name from an AP.) 

Vista helps users connect to hidden net¬ 
works by displaying "unnamed networks" in 
the Connect to a network wizard, which Figure 

1 shows. To access this wizard, right-click the 
taskbar's network icon and select Connect 
to a network. If you select Wireless from the 
drop-down list, you'll see all the visible, hid¬ 
den, and configured wireless networks on the 
machine. If a user attempts to connect to an 
unnamed (hidden) network, he or she will be 
prompted for an SSID name before authentica¬ 
tion proceeds. Having to manually enter the 
SSID name every time you want to connect to 
a hidden network prevents broadcasting SSIDs 
from the client side when you're away from 
the network. You can automate this procedure 
by configuring Vista to connect automatically 
to hidden networks, although this approach 
requires broadcasting SSIDs. A better alter¬ 
native it to use a semiautomatic approach: 
Configure the hidden network, deselect the 


option for automatically connecting to the 
network, but select the option to connect to 
the network even if it doesn't broadcast the 
SSID. To use this approach, select the Manage 
Wireless Networks option from Vista's Control 
Panel Network and Sharing Center applet, 
then open the wireless network's properties. 
This approach saves the network's SSID and 
authentication settings on the computer, but 
you still have to connect manually. 

If you're wondering how Vista can discover 
hidden networks, then you should know that 
AP hardware actually hides SSIDs by sending a 
frame with the SSID set as NULL. Although XP 
and Windows Server 2003 can't display those 
networks to users, Vista can. 

If a user tries to connect to an unsecured 
network, Vista notifies the user. A network 
is considered unsecured if it doesn't use an 
authentication and encryption protocol (or if it 
uses a weak protocol). A Vista client will never 
automatically connect to an unsecured net¬ 
work. You can use Group Policy to configure 
clients to prevent all unsecured connections. 
Automatic connections are possible only for 
secured networks that are configured with 
network profiles on the client side. 

In Vista, creating and connecting to ad-hoc 
(without AP) networks is enhanced from both 
a security and a functionality standpoint. A 
major security feature for ad-hoc networks is 
implementation of the Wi-Fi Protected Access 
2 (WPA2)-Personal security protocol. As Figure 
2 shows, this protocol is the default authen¬ 
tication method in the wizard for creating 
ad-hoc networks. To access this wizard, start 
the Network and Sharing Center applet and 
select the Set up a connection or network 
option. Before Vista, Wi-Fi Protected Access 
(WPA) was available only on infrastructure 
wireless networks, and user-to-user networks 
were left with weak security methods such 
as static Wired Equivalent Privacy (WEP). 

Another useful new feature for connecting 
Vista to wireless networks is Group Policy's 
Enterprise Single Sign-On service. This feature 
lets users authenticate to wireless networks 
and domain controllers (DCs) in a single logon 
procedure. First, the user is authenticated by 
using an 802.1x-enabled device (by using a 
certificate or a username and password). If 
the logon is successful, the computer's Group 
Policy is applied, and credentials are passed to 
the domain logon procedure. Using the Enter¬ 
prise Single Sign-On feature also lets you join 
a client to a domain by using only a wireless 
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network, which isn't possible in XP. In XP, you 
have to connect the client to a physical network 
first, and join the client to the domain—then 
you can start to work on the wireless network. 

Available Security 
Methods 

Vista supports many security methods for 
authentication and encryption, as Figure 3 
shows. WEP was the most commonly used 
security protocol for securing wireless net¬ 
works in previous Windows versions. Although 
WEP is simple to implement, it's no longer 
considered a viable security method. WEP's 
main weakness is that it's based on a shared 
key for encryption of traffic (as well as for vec¬ 
tor initialization). In addition, WEP uses an 
inferior encryption algorithm and has weak 
key management. These weaknesses make 
WEP an easily breakable solution that's no 
longer recommended. 

The most commonly used security protocol 
in Vista is WPA. WPA has a better design, bet¬ 
ter key management, and a better encryption 
algorithm than WEP has. But WPA's major 
advantage over WEP is the use of Temporal Key 
Integrity Protocol (TKIP), which dynamically 
changes encryption keys as traffic goes between 
two hosts. Rather than WEP's cyclical redun¬ 
dancy check (CRC), WPA uses a better and 
more secure method for maintaining message 
integrity, called Message Authentication Code. 

Vista offers two WPA configuration options: 
personal and enterprise. WPA-Personal is eas¬ 
ier to configure because it uses a shared pass- 
phrase. This passphrase, which must be known 
(and configured) to the client and AP, acts as a 
base for implementing encryption. Although 
WPA-Personal is much more secure than WEP, 
sharing a passphrase can still pose a significant 
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risk, so this implementation of 
WPA is recommended for small 
offices or home (ad-hoc) networks. 
WPA-Enterprise is a much more 
secure protocol, but it requires the 
implementation of802. lx devices, 
the Remote Authentication Dial- 
In User Service (RADIUS) proto¬ 
col, and an authentication server. 
WPA-Enterprise is intended for 
use in corporate environments. 
Both WPA-Personal and WPA- 
Enterprise also exist in version 
2 (i.e., WPA2). The most impor¬ 
tant difference in version 2 is the 
implementation of the Advanced Encryption 
Standard (AES)-based algorithm, rather than 
WPA's RC4. Although WPA2 is recommended 
for optimal security, you might experience 
limitations if your AP or client hardware doesn't 
support it. 

IEEE 802. lx authentication is designed 
for medium and large wireless LANs with 
authentication infrastructure consisting of 
RADIUS servers and account databases such 
as Active Directory (AD). This authentication 
method prevents a wireless client from join¬ 
ing a wireless network until it has performed 
a successful authentication. For authentica¬ 
tion of clients, 802. lx uses EAP, with different 
methods such as those using username and 
password credentials (Protected Extensible 
Authentication Protocol-Microsoft Challenge 
Handshake Authentication Protocol version 2 
(PEAP-MSCHAPv2) or a digital certificate and/ 
or a smart card (Extensible Authentication Pro¬ 
tocol-Transport Layer Security—EAP-TLS). 

Using Group Policy 
to Manage Wireless 
Networks 

Having a consistent policy for wireless connec¬ 
tivity in a corporate environment is important 
for maintaining a secure network. Using Group 
Policy is the easiest method for enforcing wire¬ 
less and other policies. You can use Group 
Policy to block access to nearby wireless net¬ 
works managed by different organizations, to 
disable the built-in support for wireless auto 
configuration, and to configure wireless clients 
to automatically connect to your organization's 
protected wireless networks. 

In Windows 2003 and XP, you can use a 
Group Policy Object (GPO) to configure wire¬ 
less settings. However, Windows 2003's GPO 


wireless options are limited to those available 
in XP. Vista greatly extends those capabilities, 
so the GPO now covers all the new features of 
wireless connections. 

To use Group Policy for managing Vista 
wireless clients on a corporate level, you must 
first extend Windows 2003's AD schema with 
the proper attributes. The Microsoft article 
"Active Directory Schema Extensions for Win¬ 
dows Vista Wireless and Wired Group Policy 
Enhancements" (www.microsoft.com/tech- 
net/networlc/wifi/vista_ad_ext.mspx) includes 
detailed instructions for this procedure, as well 
as the required script. After you extend the AD 
schema, you can use Vista's Group Policy Man¬ 
agement Console (GPMC—connected to the 
corporate forest) to configure wireless policies. 
Create a new GPO, then navigate to Computer 
Configuration, Windows Settings, Security Set¬ 
tings, Wireless Network (IEEE 802.11) Policies. 
Because Vista has a new set of wireless options, 
you must create separate policies for XP and 
Vista. Fortunately, you don't have to create a 
separate GPO for each OS and deal with WMI. 
You can simply right-click the GPO Wireless 
Network Policies item and create a new XP or 
Vista policy. If both types of wireless policies 
are configured, XP wireless clients will use only 
their own policy settings, and Vista wireless 
clients will use only their own policy settings. 
If no Vista policy settings exist, Vista wire¬ 
less clients will use the XP settings, because 
they're a subset of the settings available for 
Vista. Note that wireless policies intended for 
Vista, created from Vista's GPMC and linked 
somewhere in the domain, aren't visible from 
Windows 2003's GPMC (unlike XP policies). 
However, this doesn't mean that the policies 
won't be applied. 

Wireless policies have many configura¬ 
tion options, such as preventing users from 
connecting to ad-hoc networks, preventing 
users from creating new wireless profiles, and 
enforcing only preconfigured wireless pro¬ 
files. By using these options in Group Policy, 
administrators can create wireless profiles 
for some or all users that contain information 
about the SSID, authentication and encryp¬ 
tion methods, and some advanced 802. lx 
options. For example, if you want to precon¬ 
figure a wireless network profile for a client 
so that he doesn't have to enter any settings, 
open a new policy window, select the General 
tab, click Add, and select the network type 
(infrastructure or ad-hoc). Then, enter all the 
data for the desired wireless network in the 


We’re in IT with You 


www.windowsitpro.com 

















SREQUIREDREADING I Vista Wireless Security 


new profile properties win¬ 
dow that opens (which Figure 
4 shows an example of). If 
you want to restrict users to 
connect only to networks that 
you explicitly specify, select 
the Network Permissions tab 
rather than the General tab. 

Using Group Policy is the 
only method for configur¬ 
ing Vista's Enterprise Single 
Sign-On feature. Enterprise 
Single Sign-On options in 
Group Policy let you configure 
when 802. lx authentication 
will occur in relation to user 
logon, as well as let you inte¬ 
grate user logon and 802. lx 
authentication credentials 
on the DC. You can choose 
between performing wireless 
authentication immediately 
before or after user logon, and 
you can specify the number 
of seconds of delay for connectivity before the 
process begins. You can also configure options 
to prompt the user to fill in additional fields if 
necessary, and you can specify whether your 
wireless networks will use a different Virtual 
LAN (VLAN) for computer and user authen¬ 
tication. To configure these options, open a 
new policy window, select the General tab, 
click Add, and select Infrastructure. In the new 
profile properties window that opens, select 
the Security tab and click Advanced. 

If you're using WPA2-Enterprise authen¬ 
tication, Group Policy offers a set of options 
for configuring the caching of 802. lx authen¬ 
tication results, as Figure 5 shows. In the Fast 
Roaming section, you can configure Pairwise 
Master Key (PMK) caching and preauthentica¬ 
tion options. Wireless clients and wireless APs 
can both cache the results of 802. lx authen¬ 
tications. Caching those results makes sub¬ 
sequent access much faster when a wireless 
client roams back to a wireless AP to which 
the client already authenticated. You can 
configure a maximum time to keep an entry 
in the PMK cache and the maximum number 
of entries. With preauthentication, a wireless 
client can perform an 802.lx authentication 
with other wireless APs in its range while it's 
still connected to its current wireless AP. You 
can also configure the maximum number of 
times to attempt preauthentication with a 
wireless AP. 
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Figure 4: Configuring wireless policies 


Wireless Networks and 
NAP 

Network Access Protection (NAP), which 
is Windows Server 2008's and Vista's new 
feature for controlling network access (from 
the client health aspect), can also be applied 



to wireless networks. Vista 
can declare its health state 
while trying to connect to 
802.1x-enabled wireless 
networks. For NAP to work 
on a wireless network, the 
current domain environ¬ 
ment must include Server 
2008 Network Policy Server 
(NPS). On the client side, 
Vista must be configured 
with the proper enforce¬ 
ment agent for 802.lx 
(i.e., the EAP Quarantine 
Enforcement Client). To 
configure this enforce¬ 
ment agent, open the NAP 
Client Configuration con¬ 
sole (napclcfg.msc) and go 
to the Enforcement Agents 
node. Start the Services 
applet from the Control 
Panel's Administrative 
Tools, and configure the 
Network Access Protection service to start 
automatically. 

When a client that doesn't comply with 
company security requirements (e.g., doesn't 
have all updates installed) tries to connect 
to the corporate wireless network, 
NAP will deny access and will place 
the client in quarantine (on a sepa¬ 
rate VLAN). The client will be able 
to access only remediation servers 
(e.g., Windows Server Update Ser¬ 
vices—WSUS) that will provide the 
necessary updates to make the client 
compliant. For more information 
about NAP, including configuring 
NAP with 802. lx (which is beyond 
the scope of this article), go to technet 
.microsoft.com/en-us/network/ 
bb545879.aspx. 


Unplug Safely 

Vista's new wireless features can help 
enhance wireless security in both 
home and corporate environments. 
Implementing WPA2 in ad-hoc net¬ 
works can improve home network 
security. For corporate implementa¬ 
tions, Vista can work with the latest 
security technologies to boost wire¬ 
less security. ^ 
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Windows Vista Zero Touch Installations with BDD 

Use SMS to distribute Vista 


T his is the final article in a three-part series explor¬ 
ing the Microsoft Solution Accelerator for Business 
Desktop Deployment 2007 (BDD) tool. I began 
the series in October with the Required Reading article 
"Planning Your Vista Deployment with BDD" (Instant- 
Doc ID 96906) , in which I showed you how to install and 
run the BDD tools to help you with your Windows Vista 
deployments. In the second article, "Using Deployment 
Workbench" (November 2007, InstantDoc ID 97170) , I 
covered using the BDD Deployment Workbench wizards 
for a Lite Touch Installation (LTI). In this article, I'll step 
you through the basics of a Zero Touch Installation (ZTI), 
which uses Systems Management Server 2003 (SMS) to 
distribute a Vista OS. ZTI is a BDD deployment option for 
larger organizations. 


About Zero Touch Installation 

Before you begin the installation process, you need to know 
that there are two types of ZTI. The first type requires no 
administrator intervention. It supports either an upgrade 
or refresh scenario in which a target machine's OS is wiped 
clean and replaced with Vista, with user data intact. Target 
machines have the advanced SMS client agents installed. 
You use the SMS client agents to download and install SMS 
packages for deployment. The second type I call an almost 
ZTI. This installation is used for bare-metal machines with 
absolutely nothing installed, so you'll need to find a way to 
boot the target machines. The bare-metal ZTI is similar to 
a Lite Touch Install except that it uses SMS to distribute the 
new OS. In this article I cover both types of ZTI. 


Before You Begin 

Before you get started, download and install BDD 2007 as 
"Planning Your Vista Deploymentwith BDD" describes. See 
the Learning Path for information on the additional instal¬ 
lations in this paragraph. Be sure to install the Windows 
Automated Installation Kit (WAIK), and, if you're going 
to save the user's state in order to migrate, install the User 
State Migration Tool (USMT 3.0). As I mentioned, SMS is 
an essential component of the ZTI; you'll need to install 
SMS 2003 SP2 or later with the SMS Operating System 
Deployment Feature Pack. SMS requires SQL Server (either 
Microsoft SQL Server 2005 SP2, Microsoft SQL Server 2000 
SP3a or later, or Microsoft SQL Server 7.0 SP3 or later), so 
you must have a server running that as well. You'll also need 
the Windows Preinstallation Environment 2004 (WinPE). 
(WinPE 2.0 isn't supported by and won't work with this 
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version of BDD.) Because WinPE 2004 requires source files 
from Windows XP Professional Edition SP2 (XP Pro), you'll 
need to have that as well. 

You might also need a Windows Deployment Service 
(WDS) server if you have clients that don't have the SMS 
advanced client agents and you want to take advantage of 
the network boot option (F12). The network boot option lets 
you PXE boot from the WDS server. 

The amount of hard disk space necessary for deploying 
a ZTI can be quite significant, so be sure there's enough 
before you get started. While BDD, SMS, and SQL Server can 
all be installed on a single server, you can also install each 
component on a separate server to distribute the workload. 
You'll need sufficient storage on the BDD deployment 
server for the custom images (Windows Imaging Format— 
WIM—files) that you create before your ZTI. The SMS server 
must have enough space to store the various components 
(the packages, programs, advertisements, and distribution 
points that I discuss later). And if you implement the log¬ 
ging feature for troubleshooting, you'll need to ensure that 
the target machines have enough hard disk space for the 
logs. Using the refresh scenario requires enough space on a 
server to store complete backups of the target machines. 
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Adding OSs and 
Accompanying Files 

We'll begin our ZTI by launching the New OS Wizard and 
adding three components as operating systems to the 
BDD—your custom .wim files, WinPE 2004, and XP Pro SP2 
source files. If you haven't already done so, download and 
install BDD 2007 as "Planning Your Vista Deployment with 
BDD" describes. Next, log on as an administrator, and open 
Deployment Workbench from Start, All Programs, BDD 
2007, Deployment Workbench. 

Expand the Distribution Share node in the Deployment 
Workbench console tree, right-click Operating Systems, and 
click New. The New OS Wizard appears. (For more details on 
the New OS Wizard, see "Using Deployment Workbench.") 
From the wizard's Choose the type of operating system to add 
page, select Custom image file and click Next. The Custom 
image file option requires you to enter the path of the .wim 
file you want to use. So, on the Select operating system image 
file page, locate the custom .wim you've previously created 
and stored on a UNC path (\\Servername\Sharename) 
or WDS server, select it, and click Next. Specify that 
Setup and Sysprep files are not needed, then click Next. 
You can either type the name of the destination direc¬ 
tory for your OS or accept the default destination 
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directory name, then click Copy to add your 
custom .wim files. 

Now you're ready to add either WinPE 2004 
or WinPE 2005. Start the New OS Wizard again. 
From the wizard's Choose the type of operating 
system to add page, select Full set of source files 
and click Next. On the next page, browse to 
the location where you stored WinPE 2004 or 
WinPE 2005 and choose Move the files to the 
distribution share instead of copying them. 

Launch the New OS Wizard a third time 
to add XP Pro SP2. On the Choose the type of 
operating system to add page, select Full set 
of source files and click Next. On the following 
page, browse to the folder containing XP Pro 
SP2 source files and choose Move the files to 
the distribution share instead of copying them. 

Creating a Build 

After you've added your OSs, you're ready to 
create a build. Expand the Distribution Share 
node, right-click Builds, and choose New. This 
launches the New Build Wizard. On the Specify 
general information about this build page, type 


Learning Path 


WINDOWS IT PRO RESOURCES 

“Deploying Windows Vista,” InstantDoc I D 94088 
“What’s the.. .SMS OS Deployment Feature Pack?” 
InstantDoc I D 45107 

MICROSOFT RESOURCES 

Windows User State Migration Tool (USMT) 3.0.1 
download 

www.microsoft.com/downloads/details.aspx? 
familyid=799ab28c-69lb-4b36-b7ad- 
6c604be4c595&displaylang=en 
Window Automated Installation Kit (WAIK) download 
www.microsoft.com/downloads/details.aspx? 
familyid=c7d4bc6d-l5f3-4284-9l23-679830d 
629f2&displaylang=en 

Systems Management Server 2003 SP2 Upgrade 
www.microsoft.com/downloads/details.aspx? 
FamilylD=37b20b4b-dfec-464d-908b- 
5d783e2370d3&DisplayLang=en 
“Getting Started with Windows PE” 
www.microsoft.com/technet/technetmag/issues/ 
2006/09/WindowsPE/default.aspx 
Microsoft SQL Server 2005 SP 2 
www.microsoft.com/downloads/details.aspx2Family 
ID=d072l9b2-le23-49c8-8f0c-63fal8f26d3a& 
DisplayLang=en 

Windows XP SP2 for IT Professionals and Developers 
www.microsoft.com/downloads/details.aspx? 
FamilylD=d072l9b2-le23-49c8-8f0c- 
63fal8f26d3a&DisplayLang=en 


in a Build ID such as "VistaZTI" (remember 
that no spaces are allowed), a descriptive build 
name such as "Vista Zero Touch Installs," any 
comments documenting your build, then click 
Next. On the next page, choose the custom 
.wim file you added to the OSs earlier and click 
Next. Choose Do not specify a product key at 
this time, and click Next. On the Specify settings 
about this build page, fill in a Full name, an 
Organization name, and the Internet Explorer 
(IE) home page you'll use for all installations 
performed from this build, then click Next. 
Finally, on the Specify the local Administrator 
password for this build page choose Do not 
specify an Administrator password at this time, 
and click Create. 

Creating a Deployment 
Point 

Next, you'll use the New Deployment Point 
Wizard to create the deployment point, the 
location to which target machines connect to 
install a build. To launch the wizard, expand 
the Deploy node, right-click Deployment 
Points, and click New. 

For the type of build, choose SMS 2003 
OSD and click Next. (For a discussion of the 
other types of builds, see "Using Deployment 
Workbench.") Type in a descriptive name, 
such as "Vista ZTI," and click Next. On the 
Specify the location of the network share to hold 
the files and folders necessary for this deploy¬ 
ment type page, supply the Server name, 
Share name, and Path for the share (I used 
Serverl\OSD with a path of C:\ZTI), and click 
Next. Choose Do not save data and settings on 
the Specify user data defaults page, and click 
Create. The last page of the wizard prompts 
for the location of the SMS 2003 OSD path, so 
browse to where you put the SMS 2003 OSD, 
select it, and click Create (yes, you do click 
Create twice). 

Expect a message that tells you the OSD 
Deployment point has been successfully cre¬ 
ated but before it can be used or updated you 
must first configure the WindowsPE options. 

Right-click your new OSD deployment 
point and click Properties. Verify that the cor¬ 
rect build is selected on the Builds tab, that the 
Windows PE source is set to Windows PE 2005 
on the Windows PE 2004/2005 tab, and that 
the Windows source is set to Windows XP Pro¬ 
fessional SP2. Then, right-click the new OSD 
deployment point and click Update. A new 
folder named ZTI will be created in the root 



of your C: drive that contains two additional 
folders: Boot and VistaOSD. The Boot folder 
contains your WinPE 2005, and the VistaOSD 
folder contains all other files needed for the 
build. 

Configuring the SMS 
Components 

In SMS you'll create a package, a program, and 
an advertisement. In addition, you'll define 
distribution points and user accounts with 
sufficient permissions to all components. The 
package contains the OS source files the tar¬ 
get machine will download and install. The 
program defines how the package runs (i.e., 
minimized, maximized, hidden, or normal), 
whether to restart the machine after install, 
and whether to run when a user is logged on 
or not. The advertisement determines which 
machines will receive the package. The distri¬ 
bution point determines the servers to which 
you'll distribute the package. Your target 
machines will connect to the distribution point 
to download and install the package. 


Creating the SMS Package 

Open the SMS Administrator console, expand 
the Site Database node, and right-click Image 
Packages. Choose All Tasks, then choose 
Update Windows PE to launch the Update 
Windows PE Wizard. On the Windows PE Set¬ 
tings page, for source folder, type in the path 
that was created earlier (e.g., C:\ZTI\Boot\ 
Source). Click Next, Finish. 

Now you'll need to create a package that 
contains your custom .wim image file for 
SMS. Right-click Image Packages again, choose 
New, Operating System Image Package. This 
launches the New Operating System Package 
Wizard. On the Operating System Package 
settings page, type in a package name (choose 
something descriptive, such as Vista Ultimate) 
as shown in Figure 1, page 68. Then open your 
custom image file (the .wim image you cre¬ 
ated earlier), and browse and choose the UNC 
path (I chose \\Serverl\SMSPackages) where 
your SMS package will be stored. This is called 
the Package source. (Take note of the package 
ID that's created automatically; you'll need 
this later when you update your Bootstrap.ini 
file.) Click Next. You'll see a message that SMS 
Distribution Points require updating due to 
changes to the Operating System Package, click 
OK, Finish. 
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choose All Tasks, Distribute 
Software. The Distribute 
Package Wizard launches. 
On the Package page, click 
Select an existing package, 
in the Packages box select 
your Package name, then 
click Next. On the Distri¬ 
bution Points page, choose 
the servers you want to use 
as distribution points and 
click Next. 


Figure 1: Operating System Packages settings page 


Creating the SMS Program 

Now we'll create an SMS Program, which is 
a subcomponent of a package. To create the 
SMS program, expand Image Packages in the 
console tree, expand the node with your new 
package name (for our sample package, we'll 
use Vista Ultimate, as shown in Figure 2), right- 
click Programs, choose New, Operating System 
Program. The New Operating System Program 
Wizard starts. On the New Operating System 
Program options page, choose to Create a new 
OS Program with default settings and name it 
Windows Vista Ultimate ZTI, click Next. On the 
Licensing settings page, select Product key not 
required and click Next. On the Membership 
settings page, select Domain and input your 
NetBIOS domain name. Then set the domain 
account and password that has rights and 
permissions to add computers to the domain. 
Uncheck Create random password for the local 
administrator, click Next, then Finish. Once 
again expect a message about 
your SMS Distribution Points 
needing to be updated due to 
the changes you made, click 
OK, Finish. 


Updating the 
SMS Distribution 
Point 

The next step is to update 
the SMS distribution point 
with the servers to which the 
package will be distributed. 

To update the SMS distribu¬ 
tion point, expand Image 
Packages, right-click the node 
with your new package (Vista 
Ultimate in our sample), then 
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Advertising a 
Program 

On the Advertise a Program page, choose Yes 
to advertise a program from this package, 
click Next. Choose your program name on 
the Select a Program to Advertise page, click 
Next. The Advertisement Target page defines 
which computers the program will be offered 
to. SMS has some default groups of computers 
called "collections" that you can use, or you 
can create your own collections. I recommend 
creating a collection of test machines to run the 
package on first. This way you can deal with 
any problems before you run the package on 
production machines. Give the advertisement 
a name on the Advertisement Name page, 
click Next. Choose whether you want to also 
advertise to subcollections (subcollections are 
collections created from another collection), 
click Next. Create an Advertisement Schedule 
for when you want it to be made available to 
your SMS clients. You can also schedule the 
program to be available for a limited time, 
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Figure 2: Vista Ultimate in the Image Packages node 
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then click Next. Finally, select if you want the 
program to be assigned or not. An assigned 
program is a mandatory program; you can 
set it to run at a predefined date and time and 
nobody could stop it (short of downing the 
computer, but when it comes up again it'll still 
attempt to run the program). 

Creating SMS Advanced 
Client Credentials 

For an upgrade or refresh scenario, the SMS 
advanced client runs on each local machine. 
This client uses the SMS advanced client net¬ 
work access account and requires sufficient 
credentials to present when accessing the SMS 
distribution points, BDD 2007 deployment 
point, and shared folders. You'll need to create 
and configure a domain user account that can 
be used for the SMS advanced client network 
access account. First, create a domain user 
account in Active Directory (AD). Then, in the 
SMS Administrator Console, expand Site Data¬ 
base, Site Hierarchy, Site Code (3-digit code), 
Site Settings, Connection Accounts. Right-click 
Client, choose New, Windows User Account. 
In the Connection Account Properties dialog 
box, click Set, then supply the User name, Pass¬ 
word, and confirm password for the account 
you created in AD. Now return to the expanded 
Site Settings node and select Component 
Configuration. In the details pane, right-click 
Software Distribution and choose Properties. 
On the General tab under Advanced Client 
Network Access Account, set the domain- 
name\useraccount_name of the account you 
created in AD. 


Editing 
Bootstrap.ini 
in Deployment 
Workbench 

Next, you'll need to edit the 
Bootstrap.ini file in your 
deployment point to include 
the SMS package ID number 
that was generated when you 
created your SMS package. 
(Remember, you made a note 
of it earlier. You can also find 
it in the SMS Administrator 
console. Select Image Pack¬ 
ages and in the details pane 
you'll see your package name 
and package ID.) Go back to 
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Deployment Workbench, expand the Deploy 
node, and choose Deployment Points. In the 
details pane, right-click the Vista ZTI deploy¬ 
ment point and select Properties. On the Rules 
tab, click the Edit Bootstrap.ini button in the 
lower-right corner. Modify the OSDINSTALL- 
PACKAGE= & O SDIN STALLPRO GRAM= as 
follows: OSDINSTALLPACKAGE=CO 100001 
and OSDINSTALLPROGRAM=Vista Ultimate. 
After you've edited the Bootstrap.ini file, you'll 
need to update your deployment point. In 
Deployment Workbench, expand Deploy, 
select Deployment Points; in the details pane 
right-click your Vista ZTI deployment point 
and choose Update. 

Introducing ZTI Files and 
Scripts to the SMS OSD 
Phase 

Now that you've edited Bootstrap.ini and 
updated your deployment point, you'll need 
to configure your program to call the Zero- 
Touchlnstallation.vbs script in each phase, 
then update your distribution points. In the 
SMS Administrator console, expand Image 
Packages, click the Vista Ultimate package, 
select Programs. Then right-click the Vista Ulti¬ 
mate program in the details pane, and choose 
Properties. On the Advanced tab, shown in 
Figure 3, configure each phase with a custom 
action. The first phase is Validation. Click the 
Add button, choose custom, OK. For Name, 
choose ZTI-Validation, and for the command 
line enter ZeroTouchlnstallation.vbs (you'll do 
this a few times, so select the .vbs script name 
and press Ctrl+C to copy it). For Files, click 



Add and enter the UNC path \\serverl\ZTI$\ 
VistaOSD folder created when you created 
your deployment point in BDD. Next, ensure 
that Files of type is set to All Files (*.*), then 
select all files (click one and press Ctrl+A), and 
click Open. Configure all of the subsequent 
phases with a ZTI-phase name and a com¬ 
mand line of ZeroTouchlnstallation.vbs. So, 
the State Capture phase should have a custom 
action ZTI-StateCapture with a command line 
of ZeroTouchlnstallation.vbs. There's no need 
to add files to the other phases; they can use 
the copy you've introduced to the Validation 
phase. Configure the Preinstall, Postinstall, and 
State Restore phases in the same manner as the 
State Capture phase. When you click OK, SMS 
updates the package contents, and you'll see 
the message "SMS Distribution Points require 
updating." In the SMS Administrator Console, 
under Image Packages, right-click Vista Ulti¬ 
mate, choose All Tasks, Update Distribution 
Points, and click Yes. 

Booting a Bare-Metal 
Machine 

If you're performing a ZTI on a bare-metal 
machine, you'll need to figure out a way to boot 
the target machine. You have a few options. 
The first is to create an OS image installation 
CD-ROM. The second is to perform a PXE 
boot on the client, press F12 for a Network Boot 
(this can be automated on the WDS server), 
and connect to a WDS server. Or, third party 
utilities can automate the PXE boot for you and 
connect to a WDS server. 

To create an OS image installation CD- 
ROM in the SMS Administrator console, right- 
click Image Packages and choose All Tasks, 
Create Operating System Image Installation 
CD. The Operating System Image Installa¬ 
tion CD Wizard launches. On the Installation 
settings page, ensure the only two options 
selected are Allow installation of Operating 
System Packages from SMS Distribution Points 
and Automatically choose the OS Package 
to install by running a custom program or a 
script, and click Next. On the Install from SMS 
distribution points page, choose Vista Ultimate, 
Next. On the Automatically select Operating 
System Package page, for File name, enter 
WServerl \ZTI$\ZeroTouchInstallation.vbs, for 
Arguments enter /debug:true, then supply the 
User name and Password for the user account 
that has full control over all of the SMS and 
BDD files ( domainname\username ) and click 


Next. On the Windows PE settings page accept 
the defaults and click Next. Then, on the Cre¬ 
ate Image page, type in the name VistaOSDCD 
and the filename VistaOSDInstall. Click Finish 
to create a VistaOSDInstall.iso that can be 
burned to a CD-ROM that you can use to boot 
a bare-metal machine. 

To perform a PXE boot and connect to a 
WDS server, you'll add your ZeroTouchlnstall. 
wim (this is created automatically when you 
create your BDD deployment point) to a WDS 
server. There is one caveat when it comes to 
ZTIs and WDS integration: The WDS server 
must be compatible with the older version 
of WDS called Remote Installation Services 
(RIS). To have a compatible WDS server, you 
must first install RIS (go to Control Panel, Add 
or Remove Programs, Windows Components, 
and scroll down to RIS), then upgrade using 
the WINDOWS-DEPLOYMENT-SERVICES- 
UPDATE-X86.EXE hotfix found in the WDS 
folder of Windows Automated Installation Kit 
(WAIK). If you've already upgraded your serv¬ 
er's OS to XP Pro SP2, you no longer have the 
option to install RIS. So, if you want to exercise 
the PXE boot option for ZTIs on bare-metal 
machines, I suggest that before you upgrade all 
of your servers to XP Pro SP2, you retain one to 
install RIS on. 


Upgrading or Refreshing 
the Target Machines 

What happens on the target machines? In 
an upgrade scenario, BDD runs a ZTIPrereq. 
wsf script. This script confirms that a target 
machine is running an upgradable OS (XP Pro 
SP2 or later, Windows 2000 Professional SP4). It 
also checks for the following installed software: 
SMS Advanced Client for SMS 2003 SP2, Win¬ 
dows Script Host 5.6 or later, Microsoft Core 
XML Services 3.0 (MSXML), and Microsoft 
Data Access Components 2.0 (MDAC). After 
the ZTIPrereq.wsf script determines that the 
minimum requirements are met, the ZTTVali- 
date.wsf script runs to ensure there are enough 
resources available to deploy the new OS. 
These resources include 512MB of RAM and 
enough hard disk space for the image to be 
deployed. It also makes sure that the current 
OS isn't a server OS. In a refresh scenario, the 
ZTIValidate.wsf script requires that the current 
OS has been installed on the C partition and 
that the C partition is the first partition on the 
first disk of the target computer. ^ 
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M m s you learned in part 1 of this series, "Upgrading 
M K to Exchange Server 2007," August 2007, Instant- 
M K Doc I D 96240, preparing your existing Exchange 
m K Server 2003 organization for an upgrade to 
K Wk Exchange Server 2007 is a multistep process, 
S ■ which includes installing Exchange 2007 

onto a new server, then migrating the data 
from the legacy servers that your Exchange 
K m 2007 server will replace. Here, I'll continue 

J explaining the Exchange 2007 migration 

B steps by showing you how using a new 

K wizard can streamline the migration 

“ “ process. But before you start moving 

mailboxes, I recommend that you back 
up your data, choose an email client for your users, 
and let your users know that they could experience 
delays in accessing a Web email client to get their 
Exchange email during the migration process. 


Brien Posey 

(www.bri6nposey.com) 

is the vice president of 
research for Relevant 
Technologies. He writes 
technical content fora 
variety of publications and 
Web sites. 


First Things First: 
Backing Up Your Data 


Before you move data from your Exchange 2003 
servers to your new Exchange 2007 server, I strongly 
recommend that you make a full backup of all of 
your Exchange servers and Active Directory (AD). 
Although I haven't heard reports of any catastrophic 
problems during a migration, having a full backup of 
all of your Exchange servers and AD is a good precau¬ 
tionary measure. 
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Upgrading to 
Outlook 2007 

Although you don't have to use Micro¬ 
soft Office Outlook 2007 if your organiza¬ 
tion is running Exchange 2007, I strongly 
recommend that you upgrade to Outlook 
2007 before moving any mailboxes to your 
Exchange 2007 server. 

Exchange 2007 has a number of new fea¬ 
tures, such as the Scheduling Assistant and 
Instant Search, that users can't take advan¬ 
tage of unless they're running Outlook 2007. 
See the Learning Path for more on the new 
features in Exchange and Outlook. 


Learning Path 


WINDOWS IT PRO RESOURCES 
Exchange 

“Upgrading to Exchange Server 2007,” InstantDoc 
I D 96241 

“Can I upgrade to Exchange Server 2007 from 
Exchange Server 5.5?” InstantDoc I D 95661 

“Where Exchange Server 2007 Can Improve,” 
InstantDoc I D 97303 

“Mixing Exchange 2003 and Exchange 2007,” 
InstantDoc I D 93762 

“Step-by-Step Email Retention in Exchange 2007,” 
InstantDoc I D 94739 

“Exchange 2007 Public Folder Search Capability?” 
InstantDoc I D 96013 

Outlook 

“Outlook 2007 Preview,” InstantDoc I D 50050 

“How can I clean up the mailbox in Microsoft Office 
Outlook 2007?” InstantDoc ID 97031 


MICROSOFT RESOURCES 

Move Mailbox Wizard 

technet.microsoft.com/en-us/library/bb69l365.aspx 
“How Outlook 2007 works with different Exchange 
Server versions” 

technet2.microsoft.com/0ffice/en-us/library/ 
2f26b4fe-bc02-4dcf-bd7b-3dec3854aa8ll033 
.mspx?mfr=true 
“Moving Mailboxes” 

technet.microsoft.com/en-us/library/bbl24797.aspx 
“A mailbox move operation stops responding when 
you move a mailbox from an Exchange 2003 
mailbox store...” 

support.microsoft.com/kb/9363Q0 
“The Exchange Management Console must remain 
open when you schedule a task to move a mail¬ 
box in Exchange 2007 or in Exchange 2003” 
support.microsoft.com/kb/931748 


“Manage your mailbox size with Mailbox Cleanup” 
office.microsoft.com/en-us/outlook/ 
HP03088523l033.aspx 



Using OWA 

In addition to thinking about upgrading to 
Outlook 2007, it's equally important to consider 
that some users might access their mailboxes 
through Microsoft Outlook Web Access (OWA). 
When you move a user's mailbox to a differ¬ 
ent server, the user can still access the mail¬ 
box through OWA without any configuration 
changes. The catch is that the first time users 
sign on to OWA after the move has occurred, 
they'll likely experience a long delay between 
the time they log on and the time they can start 
accessing email. Therefore, you'll need to warn 
OWA users in advance about this delay and tell 
them that it's a one-time occurrence. 

In my experience, the delay typically lasts 
for a minute or so, but in some situations it 
could last for several minutes and even give the 
appearance that the user's Web browser locked 
up. According to Microsoft, the longest delays 
occur when Exchange is processing mailboxes 
containing 1GB or more of data in which the 


user has sorted messages using a field other 
than the default, which is the date the mes¬ 
sages were received. 

Exchange is designed to automatically cre¬ 
ate a view of each user's messages sorted by 
the date the messages were received. Exchange 
can create alternate tables for other message 
views, but these tables aren't created until 
a user actually attempts to use a view that 
requires them. So when someone who uses an 
alternate view to sort mail logs on to OWA for 
the first time after his or her mailbox has been 
moved, the alternate view won't exist yet. The 
delay occurs while Exchange builds the table 
for the user's chosen view. The larger the user's 
mailbox, the longer this process takes, thus the 
longer the delay that the user experiences. 

As I've said, this delay should happen only 
once. Assuming that the user gives Exchange 
the chance to perform all necessary tasks, 
the next time the user logs on to OWA, OWA 
should respond normally. 
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Figure 2: Launching the Move Mailbox wizard 


Moving User 
Mailboxes 

The actual technique 
for moving mail¬ 
boxes to an Exchange 
2007 server is simple. 
You start by opening 
Exchange Manage¬ 
ment Console. Then, 
in the console tree at 
the left, under Recipi¬ 
ent Configuration, click 
Mailbox. The result 
pane displays a list of 
all mailboxes in the 
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Figure 3: Choosing to skip corrupt messages 


within a mailbox 
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Figure 4: Scheduling a mailbox move 


Exchange organization, 
as Figure 1 shows. 

Notice the Recipient 
Type Details column in 
Figure 1. Some recipi¬ 
ents are listed as having 
a Legacy Mailbox, while 
one recipient has a User 
Mailbox. Legacy mail¬ 
boxes exist on Microsoft 
Exchange 2000 Server 
or Exchange 2003 serv¬ 
ers. User mailboxes 
exist on Exchange 2007 
servers. 

I'm calling out these 
distinctions because I 
want to emphasize the 
differences between 
Exchange 2003 and 
Exchange 2007 mail¬ 
boxes. Exchange 2007 
mailboxes contain 
attributes that simply 
don't exist in Exchange 
2003. Because of this, 
you can't use the 
Microsoft Management 
Console (MMC) Active 
Directory Users and 
Computers snap-in 
to move a mailbox 
from an Exchange 2000 or Exchange 2003 
server to an Exchange 2007 server. Instead, you 
need to use Exchange Management Console 
to do so. 

Launching the Move 
Mailbox Wizard 

To start your organization's mailbox migration, 
open Exchange Management Console, right- 
click the mailbox you want to move, and select 
the Move Mailbox command from the shortcut 
menu. Exchange will launch the Move Mailbox 
wizard, as Figure 2 shows. 

The Move Mailbox wizard can also perform 
bulk mailbox moves. To move multiple mail¬ 
boxes, in the console select all the mailboxes 
you want to move, click the right mouse but¬ 
ton, and choose the Move Mailbox command 
from the shortcut menu. As you can see in 
Figure 2, you can specify a mailbox's destina¬ 
tion by selecting the server, storage group, and 
mailbox database to which you want to move 
the mailbox. 


Click Next, and you'll see a prompt asking 
what you want to do if Exchange encounters 
corrupt messages during the move. By default, 
the Move Mailbox wizard skips the mailbox 
containing the corrupt messages. However, 
you can opt to copy the mailbox but not the 
corrupt messages. As Figure 3 shows, the wiz¬ 
ard also lets you choose to specify a maximum 
number of corrupted messages to skip within 
each mailbox. 

Using Move Schedule 

Click Next, and the wizard's Move Schedule 
screen opens. As you can see in Figure 4, you 
have the option of scheduling the mailbox 
move to occur at a specific time. By default, the 
Move Mailbox wizard will move the mailboxes 
you've selected immediately upon comple¬ 
tion of the mailbox migration via the wizard. 
If you're moving only a few mailboxes, the 
default will probably be fine for you. If you're 
moving a lot of mailboxes, you'll want to use 
the scheduling feature. 
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Preparing for a EfeoDtteK MlgMtlOII 

to Exchange 2007 

Are you planning to migrate legacy mailboxes to Exchange Server 2007? You’ll need to prepare 
carefully, and you’ll want to take advantage of a new wizard that streamlines the process. 



Step I 
Step 2 

Step 3 

Step 4 
Step 5 

Step 6 


Before you begin, back up your legacy Exchange servers. 

Consider upgrading to Microsoft Office Outlook 2007, so users can take 
advantage of new features in Exchange 2007 that only work with Outlook 
2007. 

Prepare your Outlook Web Access (OWA) users for possible delays when 
migrating large mailboxes that aren’t sorted by the date messages are received. 

Launch the Move Mailbox wizard from the Exchange Management Console. 

Use the Move Mailbox wizard to make choices on handling corrupted 
messages. 

Use the Move Schedule feature in the wizard to schedule the move. The wizard 
lets you schedule a move during off hours. You can also set the wizard to abort 
tasks after a given number of hours. 

Step 7 After the move is complete, keep your Exchange Server 2003 servers online 

for a few weeks, so you can move mailboxes back to them in the rare instances 
where performance or compatibility problems arise. 

InstantDoc ID 97399 


You can use Move Schedule to schedule 
the mailbox move to occur late at night when 
the servers involved in the move are likely to 
be carrying a minimal workload. Doing so is 
not only an efficient way to use your servers, 
but it also lets you move users’ mailboxes 
after hours when they're typically not in use. 
If you've scheduled the mailbox move using 
Move Schedule, you don't have to come back 
to the office late at night to start and babysit 
the operation. (However, I recommend testing 
the Move Mailbox feature on a few mailboxes 
before you do a large-scale move of many mail¬ 
boxes, just to make sure that you won't 
have any unanticipated problems.) 

You can choose an option in Move 
Schedule that lets the wizard cancel 
a task that's been running too long, 
depending on the number of hours 
you've specified for this option. I rec¬ 
ommend using this option, because 
I've seen situations in which a mailbox 
had problems, but the mailbox wasn't 
recognized by the wizard as being cor¬ 
rupt and caused the wizard to hang 
during the move. Setting the wizard 
to abort a move after a given number 
of hours lets you avoid the server 
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handing should this type of problem occur. If 
you decide to set an abort threshold in Move 
Schedule, make sure the time period is long 
enough to cover moving your largest mailbox, 
so that you don't cancel a task unnecessarily. 

Reviewing Move-Mailbox 
Options 

When you finish scheduling the move, click 
Next, and you'll see a screen that displays a 
summary of the move options you've chosen, 
as Figure 5 shows. Review the options, and 


click the Move button to move the selected 
mailboxes. If you've scheduled a move to occur 
at a later time, clicking Move gives the move 
permission to occur, but the wizard will not 
launch the move until the scheduled time. 

When the move is completed, click the 
Finish button to close the wizard. When you go 
back to the Exchange Management Console, 
Recipient Configuration, Mailbox node, you'll 
see the mailboxes that you've moved are now 
listed as User Mailboxes. 

After the Migration 

After your migration to Exchange 2007 is done, 
I recommend keeping your Exchange 2003 
servers online for a couple of weeks. Although 
performance problems or compatibility issues 
are rare, I've seen posts on various Web sites 
from administrators who've encountered such 
problems after migrating to Exchange 2007. If 
your Exchange 2003 servers are online, you'll 
be able to temporarily move mailboxes or pub¬ 
lic folders back to them should you encoun¬ 
ter unexpected problems. (You can use the 
Exchange 2007 Move Mailbox wizard to move 
mailboxes from an Exchange 2007 server back 
to a legacy Exchange server.) 

Even when you're confident enough in 
your Exchange 2007 server that you're ready 
to retire your Exchange 2003 servers, I rec¬ 
ommend leaving at least one Exchange 2003 
server online until you can take advantage of 
the features Microsoft provides in Exchange 
2007 SP1. This service pack adds features 
to Exchange Management Console, such as 
public folder-management capabilities, that 
weren't included in the original release of 
Exchange 2007. However, since the final release 
of SP1 isn't scheduled until after Windows 
Server 2008 is released, if you want to man¬ 
age public folders and perform 
certain other administrative 
tasks via a GUI administrative 
console, you'll need to do so by 
using Exchange System Man¬ 
ager (ESM) on your Exchange 
2003 server, until Exchange 2007 
SP1 is available. (However, if you 
want to perform public folder- 
management tasks via the com¬ 
mand line, you can do so now 
by using Windows PowerShell 
cmdlets in Exchange Manage¬ 
ment Shell.) ^ 
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Summary of mailbox move options 
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Tired of Nursing 
Your Exchange 
Server? 


nyone who has given birth to an Exchange 
network knows it can get sick and needs 
some nursing to stay healthy. In fact, 72% 
of Exchange Administrators surveyed* have 
“experienced” an Exchange disaster (feels 
like the flu)—usually from improper feeding 
and care. 


Prevent Hiccups 

GOexchange removes errors, warnings and 
inconsistencies within the database—before 
major corruption makes the database fail. 

“GOexchange corrected 2,264 errors 
and 26 warnings. 99 


Like many databases, constant adding and 
deleting can corrupt an Exchange data file 
so it eventually turns sour. Replicating, 
archiving and backing up the data doesn’t 
stop the stink—it just stores it. You’ve 
got to... 

Fix the Problem 

You may have tried the free utilities to fix 
Exchange. While they help, they are too 
tedious, time consuming and lightweight to 
keep your Exchange baby healthy. You’ve 
tried the milk, now try some meat! 


Paul Ramos, Director IT 


Run, Don’t Crawl 

In addition to fixing the database, 
GOexchange removes sluggishness and 
improves performance by re-indexing and 
defragmenting the database to permanently 
remove white space and deleted items. The 
end result is increased performance and 
stability with a compact efficient database 
that’s 31 to 55% smaller! Combine this 
with archiving and the database is up to 91% 
smaller—making it much quicker to backup. 
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Solutions Inspiring Confidence 


“Life before GOexchange...was 
an absolute nightmare, late nights, 
long weekends and upset users. 99 

Marty Grogan, CTO 


Stop The Crying 


Pamper Yourself with GOexchange 

It’s time to try GOexchange, from Lucid8, 
the #1 best-selling automated disaster 
prevention and optimization software for 
Microsoft Exchange 5.5, 2000, 2003 and 
2007. As the mother of all Exchange tools, 
GOexchange helps prevent disasters, repair 
problems, improves performance, and 
saves you a lot of time. 

“Without routine maintenance, 
decreasing performance, 
increased warnings and 
errors accumulate and 
database fragmentation 
transpires, leading to 
Exchange disasters. 99 

Gartner 


“..our information stores were reduced 
by 45-50%. 99 

Dale Huitt, Systems Lead 

Automated Babysitter 

First, GOexchange is easy to setup and use. 
Twenty minutes—that’s all it takes to get 
your server up and running. Just schedule it, 
and walk away! 

The software notifies the users, validates 
the database, runs the backup, conducts 
a comprehensive system analysis and 
diagnostics, logs the errors, and notifies you 
if it discovers a “stop” error—then it repairs 
and defragments the database, generates a 
thorough report and schedules the next event. 

You can do some of this work yourself, but 
why waste time doing repetitive maintenance, 
when GOexchange can do it for you—faster 
and more effectively than doing it by hand. 


Why not call now, or visit our resource 
site and leam how to reduce the risk, and 
avoid the pain. Protect your exchange data, 
maximize performance, and spend a weekend 
at home —instead of babysitting Exchange. 




Special Offer 

• Free Software for analysis of your 
Exchange server! 

• Free White Paper—“Basic Feeding 
of Your Exchange Server.” 

• Free Essential Guide to Exchange 
Preventative Maintenance 

Go to: www.Lucid8.com/GolTPro 
Call 425.456.8474 
E-mail: Sales@Lucid8.com 
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Use Kerberos 
to Secure 
MOSS 2007 

Which Kerberos 
authentication 
features you 
need and how to 
configure them 

by Ethan Wilansky and 
Rick Sneddon 


I t's a no-brainer to use Kerberos authenti¬ 
cation to access SharePoint when Active 
Directory (AD) is your identity store. The 
Kerberos authentication protocol is the highest 
performance Windows Server authentication 
mechanism out of the box, and Kerberos is cur¬ 
rently the most secure authentication mecha¬ 
nism supported by AD. (For more information 
about Kerberos, check out the sidebar, 'TO 
Important Kerberos Facts," page 78.) 

In the Windows SharePoint 3.0 (WSS 3.0) 
Central Administration interface, Microsoft 
recommends that you use Kerberos authenti¬ 
cation. Unfortunately, when you choose Ker¬ 
beros authentication, Microsoft displays an 
ambiguous message that says an administrator 
might have to configure an application pool 
account to allow for Kerberos authentication 
if the application pool account is not Network 
Service. Further, there's no reference to any 
documentation where you can figure out what 
the heck to do to make Kerberos authentica¬ 
tion work. To complicate matters, Microsoft's 
article explaining how to configure Microsoft 
Office SharePoint Server 2007 (MOSS) to use 
Kerberos authentication (see support.micro- 
soft.com/?kbid=832769) actually contains the 


following quote: "Most of the time, you should 
choose NTLM [NT LAN Manager] authentica¬ 
tion." How's that for an inconsistent message? 

But we've found that Kerberos is truly the 
best authentication method, especially for 
such uses as authentication over a slow link 
or a public network and with smart cards. And 
when you have finished reading our article, 
you will know which Kerberos authentication 
features you need, what to do to configure 
these features in a SharePoint environment, 
and how to verify that Kerberos authentication 
is working. 

System Requirements 

To run in a Windows network, Kerberos 
authentication requires several components, 
which Figure 1 shows. If you're running AD, 
you probably have most of the pieces in place 
already: a trusted authority called the Key Dis¬ 
tribution Center (KDC—for details on exactly 
what the KDC does, see the Microsoft article 
"How the Kerberos Version 5 Authentication 
Protocol Works," at technet2.microsoft.com/ 
windowsserver/en/library/4aldaa3e-b45c- 
44ea-a0b6-fe8910f92f281033.mspx?pf=true), 
clients that support Kerberos authentication, 


Figure 1: 

Kerberos 

prerequisites 



Operating systems that support 
Kerberos, i.e. Windows 2000. 
2003, XP, Vista, and others 
outside the Windows family (open 
standard protocol). 


Kerberos relies on Active 
lo provide a 
authority called the 
Distribution Center, 


Supports Kerberos and 
LDAP protocols (SRV 
Records). 


The Key Distribution Center 
uses timestamps in the 

authentication process to 
prevent replay attacks. 
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10 Important K@rberos [Fa@5® 

Y ou should read this list of Kerberos facts if you read nothing else in this article. Kerberos is 
an important protocol that’s sometimes misunderstood by administrators. 

I. Kerberos is an industry standard that was initially developed by MIT in the I980’s. The 
current version, Kerberos 5, is defined in RFC 1510. 

2. If you log on to an Active Directory (AD) domain from a computer running Windows 2000 
or later, you are probably relying on the Kerberos 5 authentication protocol to access a 
wide array of network resources, such as AD domain resources, file shares, print services, 
Microsoft IIS, and even resources protected by IPSec. 

3. Kerberos is currently the most secure authentication mechanism supported by AD. 

4. Kerberos is the best choice for most Microsoft Office SharePoint Server 2007 (MOSS) 
implementations in an intranet or extranet where users log on to an AD domain. 

5. Kerberos is the only Windows authentication protocol that provides constrained delegation 
(aka double-hop authentication) and protocol transition. 

6. Windows Integrated Authentication is a superset of the authentication protocols Kerberos 
and NTLM. 

7. Kerberos Digest and Basic authentication (augmented for security with TLS/SSL) proto¬ 
cols aren’t part of Windows Integrated Authentication but are available via the Security 
Support Provider Interface (SSPI) in Windows. 

8. Kerberos authentication to a Web site requires that your Microsoft browser be Microsoft 
Internet Explorer 5.0 or above. Mozilla Firefox and other browsers also support Kerberos 
authentication. 

9. Kerberos works for both password-based and smart card-enabled authentication. 

10. In Greek mythology, Kerberos/Cerberus was the Greek god, Hades’, watchdog—a three¬ 
headed canine that guarded the gates of the underworld. 

InstantDoc ID 97377 


a time service, TCP/IP, AD-integrated DNS, 
and the ability to configure Service Principal 
Names (SPNs). 

The KDC arbitrates secure communication 
between two clients. Each AD domain control¬ 
ler (DC) is already a KDC. The KDC uses time- 
stamps in the authentication process. Because 
AD relies on a time service for directory service 
activities such as replication, if you're already 
using AD the time service will be configured for 
a properly functioning AD implementation. In 
addition, it's likely that you have AD-integrated 
DNS already operating in your network. Of 
course, you can also support BIND DNS servers 
in an AD implementation. If you do use BIND 
DNS, all you have to do to implement Kerberos 
is add SRV records for each AD domain specifi¬ 
cally to support the LDAP and Kerberos proto¬ 
cols. (For information on how to configure your 
BIND DNS server to support Kerberos, see the 
article "Configure BIND DNS to Answer Active 
Directory Queries" atwww.linuxquestions.org/ 
linux/answers/Networking/Configure_BIND_ 
DNS_to_Answer_Active_Directory_Queries.) 

Finally, all Windows 2000 clients and beyond 
support Kerberos authentication. Kerberos is an 
open standard so, as you might expect, addi- 
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tional clients such as Mac OS X, Sun Microsys¬ 
tems Solaris, and Red Hat Linux also support 
Kerberos authentication. After you verify that 
your network meets the basic requirements, the 
next step is configuration. 

Initial Steps to Support Kerberos 
Authentication 

The first steps in configuring Kerberos authen¬ 
tication, namely setting one or more SPNs and 
configuring each SharePoint Web application to 
use Kerberos authentication, apply to all MOSS/ 
WSS 3.0 implementations. Before diving too 
deeply into howyou accomplish these two con¬ 
figuration steps, it's important to understand 
the underlying MOSS/WSS Web application 
architecture and how it maps to the Internet 
Information Services (IIS) Web site architecture 
on which it runs. 

A typical MOSS instance contains multiple 
Web applications. For example, a Web appli¬ 
cation is assigned to host SharePoint Central 
Administration and another hosts the Share- 
Point Shared Service Provider (SSP). You create 
these two Web applications when you install 
and initially configure MOSS. To let users inter¬ 
act with MOSS, you then create one or more 


Web applications to host your portal. Users log 
on to this Web application. In addition, you 
create another Web application if you want 
to implement the MySite feature. Each Web 
application is an IIS 6.0 Web site. Although the 
MOSS/WSS 3.0 interface lets you create the 
MySite feature in the SSP, the setup procedure 
advises you to create a separate Web Applica¬ 
tion. This is a good idea, especially for simplify¬ 
ing disaster recovery. 

An essential part of an IIS 6.0 or later Web 
site is its application pool. Each IIS 6.0 Web site 
is assigned to an application pool. For security 
and stability, the application pool separates the 
worker process for one or more Web sites from 
the content and configuration settings for those 
Web sites. Although you can assign more than 
one IIS Web application to the same application 
pool, you should configure each MOSS Web 
application to use its own application pool. 
Within the application pool you specify the 
identity of a user account for running the Web 
site process. By default, IIS assigns the built-in 
Network Service identity to an application pool. 
However, Microsoft doesn't recommend this 
configuration for MOSS/WSS 3.0 Web applica¬ 
tions. Instead, each application pool should 
use a unique domain user account and be 
assigned to a single Web application. See the 
Microsoft article "Plan for administrative and 
service accounts (Office SharePoint Server)," 
(technet2.microsoft.com/Office/en-us/library/ 
f07768d4-ca37-447a-a056-la67d93ef5401033 
.mspx?mfr=true). 

What’s a Service Principal Name? 

Each user account that is used by an application 
pool requires that an SPN be set against it to 
allow Kerberos authentication to work. An SPN 
uniquely identifies a user account or computer 
account as a service host at a specific target 
address. This distinction is essential for helping 
to prevent service (daemon) spoofing, which 
occurs when a system accidentally connects 
to a malicious daemon of the same name run¬ 
ning on a different machine or operating with 
a different user account. In addition, the SPN 
is critical to the proper operation of the KDC 
ticket-granting process. To learn more about the 
Kerberos authentication protocol architecture, 
review the resources listed in the Web Learning 
Path at www.windowsitpro.com/Article/Article 
ID/97376/Windows_97376.html. _ 

In Kerberos 5, the different parts of the SPN 
are delimited with a forward slash: class/host: 
port/name. The class name is a value such as 
HOST, HTTP, or LDAP. HOST is a special name 
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Figure 2: Setting SPNs 


and always represents the built- 
in services running on a com¬ 
puter registered in AD. Any other 
class name acts as an alias of a 
HOST name. It's useful to assign a 
symbolic class name to differenti¬ 
ate specific types of services you 
might be providing, such as http 
services. For example, Microsoft 
Internet Explorer (IE) and IIS use 
the HTTP class name for Kerbe¬ 
ros authentication. Note that the 
HTTP class name is not the same 
as the http protocol, so you can use the HTTP 
class name for both http and https services. 

The next part of the SPN is the host name, 
not to be confused with the HOST class name; 
the host name can include a port value. The two 
types of host names you should register for an 
SPN are the NetBIOS name (computer name) 
and the Fully Qualified Domain Name (FQDN). 
By registering both, you can be sure that a user 
who browses to either name will authenticate 
using Kerberos. 

You can also include a port value if you 
want to limit the SPN to a specific port or you 
are using non-standard ports for a particular 
Web application. For example, if your central 
administration site is hosted on port 35000, you 
might want to include this specification in your 
SPN registrations for the SharePoint Central 
Administration site. To offer a more detailed 
example, if you host Central Administration 
on a computer named CA01 in the fabrikam 
.com domain on port 35000, your SPNs for this 
site would be HTTP/CA01.fabrikam.com:35000 
and HTTP/CA01:35000. 

Finally, the name part of the SPN is rarely 
used except for services that are replicated. You 
can safely omit the name part of an SPN for your 
MOSS-related SPN registrations. 

In terms of AD, the SPNs are values auto¬ 
matically written to the servicePrincipalName 
multivalued attribute of a computer account 
when it's registered in an AD domain. For 
example, workstationOl in the fabrikam.com 
domain will have the following two SPNs auto¬ 
matically registered: HOST/WORKSTATIONOl 
and HOST/workstationOLfabrikam.com. Serv¬ 
ers registered in the domain will also have the 
HOST SPN entries and are likely to have some 
symbolic class as well, such as SMTPSVC. 
Because of this automatic registration, your 
AD client can use Kerberos authentication to 
authenticate you to a domain. In addition, the 
NT AUTHORITY\NETWORK SERVICE (aka 
Network Service) acts as the computer on the 


network and therefore inherits the SPN settings 
of the computer. 

You might ask then, if Network Service has 
an SPN on it already, why bother having to set 
the SPN if an IIS application pool can use this 
account for its identity? To that we would say, 
great question! Microsoft recommends that 
you use an AD user account for each applica¬ 
tion pool supporting a MOSS Web application. 
Although we don't have specific information 
about this, we believe Microsoft discourages the 
use of Network Service for this purpose because 
it would require that you assign several permis¬ 
sions to this ubiquitous and typically low-privi¬ 
lege account. Therefore, when you assign a user 
account to an Application Pool's identity that 
will provide Kerberos authentication, you must 
then assign an SPN to that account. During the 
authentication handshake between the client 
browser and the Web application, IIS uses the 
SPN to retrieve a Kerberos ticket from the I<DC 
and a session key on behalf of the logged-on 
user. 

Setting SPNs 

With the aptly named setspn command-line 
tool that's part of Windows Server 2003 SP1 and 
later (and included as a support tool for Win¬ 
dows 2000 Server), you can perform SPN create, 
read, update, and delete operations. The create 
operation is referred to as registering an SPN. 
Figure 2 shows the registration process. 

Because registering an SPN is a security- 
sensitive operation, you must have administra¬ 
tive permissions in the domain to create, update 
or delete an SPN. Any authenticated user can 
read SPNs created for a user account or com¬ 
puter. Being able to read an SPN is important, 
especially if you work in an organization where 
you don't have administrative permission in 
the domain to set it yourself, so you can check 
for configuration accuracy and troubleshoot 
errors. 


In the example of a host named corpweb 
and corpweb.fabrikam.com, if the application 
user account assigned to the MOSS Applica¬ 
tion Pool identity is fabrilcam\PortalAppPool, 
the following SetSPN commands prepare the 
account for Kerberos authentication: 

setspn -A HTTP/corpweb fabrikam\ 

PortaLAppPooL 

setspn -A HTTP/corpweb.fabrikam 
.com fabrikam\PortaLAppPooL 

The first command sets the HTTP class and 
the NetBIOS name of the Web server on the 
fabrikam\PortalAppPool user account. The 
second command sets the HTTP class and fully 
qualified host name (DNS name) for the portal 
on the same user account. After registering the 
user account with the required SPNs, running 
the following command: 

setspn -L portaLapppoL 

returns the following output: 

Registered ServicePrincipalNames for CN= 
PORTALAPPPOOL,OU=S VC ACCOUNTS, 
DC=FABRIKAM,DC=COM: 

HTTP/corpweb 

HTTP/corpweb.fabrikam.com 

The -L parameter shows the distinguished 
name of the PortalAppPool account and the 
SPNs registered on that account. Note the com¬ 
mand parameter syntax suggests that you can 
run setspn commands only against computer 
names. However, it also works for user accounts, 
as the previous example demonstrates. 

SPNs to Set for MOSS 

To support Kerberos authentication for MOSS, 
run the setspn command against the applica¬ 
tion pool accounts you have created for your 
MOSS Web applications to register the pub¬ 
lished names. In a typical MOSS installation, the 
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Web applications that require SPN registrations 
on their associated application pool accounts 
are SharePoint 3.0 Central Administration, 
SSP, MySite, and the portal. Published names 
include the FQDN as it appears in your DNS 
(i.e., corpweb.fabrikam.com), the NetBIOS 
name (i.e., corpweb) and any other FQDNs 
that might be associated with a portal site (i.e., 
a DNS CNAME entry of portal.fabrikam.com 
that resolves to corpweb.fabrikam.com or host 
header addresses). 

Use the port designation in the SPN host 
name for Web applications that are published 
over non-standard ports. If a particular Web 
application is using port 80 or 443, you don't 
need to specify the port. 

We have provided a simple example in 
the previous section for registering two SPNs 
and you can refer to the article “Configuring 
Kerberos for SharePoint 2007: Part 1 - Base 
Configuration for SharePoint," (blogs.msdn 
.com/martinkearn/archive/2007/04/23/ 
configuring-kerberos-for-sharepoint-2007- 
part-1 -base-configuration-for-sharepoint.aspx) 
to see other example SPN commands for a 
MOSS instance. The author, Martin Kearn, also 
suggests that you configure an SPN against the 
SharePoint Farm Service account. However, we 
haven't been able to confirm why this is neces¬ 
sary for this initial configuration to support 
Kerberos authentication. 


Preparing Your Web Applications 

Now that your SPNs are set, the next step is 
to configure the default Windows member¬ 
ship provider for each Web application to use 
Kerberos. You can complete this task from 
SharePoint Central Administration by following 
this path: Central Administration, Application 
Management, Authentication Providers. From 
the Web Application drop-down menu in the 
tool bar, select each Web application, then click 
the Default zone for the Windows membership 
provider. 

From the Edit Authentication Web page, 
verify that Integrated Windows Authentica¬ 
tion (which is synonymous with Windows 
Integrated Authentication) is checked, then 
select Negotiate (Kerberos). This option means 
that the Web application will attempt Kerberos 
authentication with the client. If this authenti¬ 
cation fails, the Web application will downgrade 
to NTLM authentication. If non-Windows Inte¬ 
grated Authentication protocols are enabled, 
such as basic and digest authentication, and the 
client browser can't support Kerberos or NTLM, 
the server will let the browser attempt basic and 
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then digest authentication. 

If you're supporting Kerberos authentica¬ 
tion on the Web application hosting the shared 
service provider, you also have to run the fol¬ 
lowing stsadm command to enable Kerberos 
authentication: 


STSADM.exe -o SetSharedWebService 
Authn -negotiate 

This is Step 4 in the Martin Kearn blog article 
we mentioned in the previous section. Note 
that Martin mentions additional steps required 
for configuring Kerberos delegation (Step 2 and 
part of Step 5). However, neither of these steps 
is necessary for the initial MOSS configuration 
to support Kerberos authentication. 


When Kerberos Delegation Is 
Essential 

A deciding factor for using Kerberos is whether 
you need to support the delegation feature. Web 
Figure 1 (www.windowsitpro.com, InstantDoc 
ID 97376) , shows the process delegation and 
constrained delegation go through. 

To understand delegation, consider imper¬ 
sonation. Impersonation is the process of act¬ 
ing as the logged-on user account to access 
resources. Impersonation is necessary when a 
service account (i.e., a MOSS application pool 
identity) is accessing back-end systems on 
behalf of a user and there is a security require¬ 
ment that users must use their identity to 
connect to the back-end resource. Delegation 
simply extends impersonation across machine 
boundaries. 

To decide whether you need this feature, 
you must evaluate the type of application that 
will serve as the front end to the authentica¬ 
tion process, what back-end applications are 
involved in the authentication process, and 
how secure the authentication process needs to 
be. The following three scenarios illustrate the 
issues involved: 

Scenario 1: A user logs on to a Windows 
network. The user can run Microsoft Word 
and open a Word document located on a net¬ 
work file share. The client computer contains 
a Kerberos ticket generated upon each user's 
logon (called a Ticket-granting ticket—TGT). 
When a logged-on user wants to access a Word 
document on a file share, the user (via the cli¬ 
ent computer's local security authority) com¬ 
municates with a ticket-granting service—i.e., a 
KDC server. The I<DC uses additional Kerberos 
tickets to facilitate the mutual authentication 
between the client and the file server containing 
the Word document. Each DC in an AD domain 


acts as a KDC. Although this explanation about 
how the interaction between the client and the 
file server occurs is significantly oversimplified, 
it demonstrates that base Kerberos services, not 
delegation, are needed in this case. 

Scenario 2: A client application authenti¬ 
cates with a middle-tier application and the 
middle-tier application then serves data from 
one or more back-end applications. In this case, 
the client application is a Web browser or Office 
application, the middle-tier application is the 
MOSS portal, and the back-end application 
can be a point solution (i.e., Project Server) or 
an integration services layer that accesses the 
back-end system. 

Scenario 3: A service account accesses 
resources on behalf of a user. This process is 
referred to as the trusted sub-system model. 
The sub-system (or back-end application) trusts 
the middle-tier application service account so 
that the service account can retrieve data for 
a user by using the service account's identity 
and hand that data to the user. This scenario 
scales well, but should only be used to retrieve 
data that doesn't have to be secured by the user 
account or that requires per-user auditing. 

So where is delegation necessary? The first 
scenario, in which a single application accesses 
a file share, doesn't involve delegation. The 
user logs on to the system and there is no 
service running on another computer acting 
on behalf of the user to authenticate to a file 
share containing the Word document. In the 
second scenario, delegation is essential for sup¬ 
porting a single sign-on (SSO) experience and 
for authenticating to remote resources as the 
logged-on user. In the third scenario, the trusted 
sub-system model, delegation isn't necessary 
because, by design, the service account isn't 
impersonating users. 

How to Configure Kerberos 
Delegation 

Configuring delegation to a user account 
assigned as an application pool identity for 
a SharePoint Web application is relatively 
straightforward. The simplest way to enable 
this delegation is to navigate to the properties 
of a user account in the Active Directory Users 
and Computers snap-in. 

Once there, take one of two paths depend¬ 
ing on your domain functional level. If you're 
running a Win2K domain or your Windows 
2003 domain is running in Win2K domain func¬ 
tional level, click the Account tab and under 
Account Options select the Account is trusted 
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for delegation check box. If you're running in 
Windows 2003 domain functional level, select 
the Delegation tab in the user properties dialog 
box, which Figure 3 shows. (If the Delegation 
tab isn't present and the domain is set to a 
Windows 2003 functional level, you need to go 
back and set an SPN on the service account.) In 
the Delegation tab, select one of the following 
three options: 

Do not trust this user for delegation. This 
option is the default selection and doesn't let 
the user account impersonate another user to 
any back-end system. 

Trust this user for delegation to any ser¬ 
vice (Kerberos only). This option lets the user 
account impersonate another user to any back¬ 
end system that supports Kerberos authentica¬ 
tion. It's time constrained because a Kerberos 
session key's default expiration lifetime is 10 
hours. However, it's not constrained to a spe¬ 
cific target. The application pool account will 
attempt to access any Kerberos-enabled back¬ 
end target as an impersonated user. 

Trust this user for delegation to speci¬ 
fied services only. This option constrains the 
application pool account to a specific target 
or targets. As Keith Brown describes in The 
.NET Developer's Guide to Windows Security 
(Addison Wesley, 2005), this option constrains 
delegation not only in time, but also in space. 
We specifically say "target" and not "back-end 
system" because the only valid target for con¬ 
strained delegation is an SPN. The two typical 
targets are either SPN-enabled computers or 
user accounts. If your goal is to limit delegation 
to a back-end system that uses an application 
pool user account, you have two choices: You 
can either register an SPN for a target user 
account, as we described earlier in this article, 
or you can choose one of the existing SPNs 
assigned to the target back-end computer. 

Typically, using an existing SPN assigned 
to the computer is adequate. Some reasons 
why you might want to register additional SPNs 
include the following: 

• Users access the back-end system by a cus¬ 
tom FQDN. 

• You want to further constrain delegation by 
designating a specific port to which the back¬ 
end service listens. 

• The back-end service uses a custom service 
name (SPN class field) that isn’t registered in 
the default set of SPNs on a target system. 

• You choose to constrain delegation to spe¬ 
cific user accounts rather than to specific 
target computers. 

Figure 3 shows constrained delegation (i.e., 
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Figure 3: The Delegation tab 


the check box Trust this user for del¬ 
egation to specified services only is 
selected) to a back-end system with 
a custom FQDN of BackEndOl. 
Server.Sys, two ports designated for 
two SPNs, one service on usahs- 
vulm268 that's listening on port 4000, 
and another service on BackEndOl 
.Server.Sys that's listening on port 
45000. 

When and How to Configure 
Protocol Transition 

When one or more users accessing 
your portal Web applications can't use 
Kerberos from their client computers 
or when your front-end Web serv¬ 
ers don't provide Windows Integrated 
Authentication, you can use the Ker¬ 
beros Protocol Transition feature. The 
former case is relatively rare. However, 
in the latter case, some routers or 
firewalls won't let you negotiate to Ker¬ 
beros or even NTLM authentication. In these 
situations, configuring IIS to use Basic authen¬ 
tication over SSL is the best you can do. After IIS 
authenticates a user by using Basic authentica¬ 
tion, the Kerberos Protocol Transition feature 
lets the front-end Web servers negotiate up to 
Kerberos authentication on behalf of the user. 

Configuring protocol transition is straight¬ 
forward. In Figure 3, beneath the Trust this user 
for delegation to specified services only option 
are two radio buttons that let you select either 
Use Kerberos only or Use any authentication pro¬ 
tocol. If you select Use Kerberos only, then con¬ 
strained delegation will work only with inbound 
Kerberos authentication of the user. Selecting 
Use any authentication protocol, which Figure 
3 shows, lets you use protocol transition so that 
the middle-tier application (MOSS, in this case) 
changes the incoming authentication to Kerbe¬ 
ros from some other authentication protocol, 
such as Basic authentication or NTLM. 

For the service to obtain an impersonation 
token, its service account must have the "act 
as part of the operating system" privilege. If it 
doesn't, the service will get only an identifica¬ 
tion token. 

Getting an impersonation token is essential 
if your goal is to allow both protocol transition 
and delegation. However, the impersonation 
token does expose your system to attacks where 
a user logs on as the application pool account 
to compromise a system. Therefore, use this 
feature with caution. 

An identity token, however, is usually ade¬ 
quate if all you need is to allow protocol transi¬ 


tion. See Web Figure 2 to get a picture of what it 
takes to support protocol transition. The Learn¬ 
ing Path that appears with this article online 
directs you to more resources about protocol 
transition and Kerberos. After you configure 
Kerberos, you'll need to check out the Web side- 
bar "Testing and Troubleshooting Kerberos," 
InstantDoc ID 97378, to ensure you've done it 
correctly. 

Get to Know the Three-Headed 
Watchdog 

As you can see, Kerberos authentication in a 
MOSS environment is a significant and some¬ 
times challenging topic. Small wonder that 
it's named for the three-headed dog in Greek 
mythology that guarded the gates of the under¬ 
world. But, with a little research, perseverance, 
and some testing in your lab environment, 
you'll soon gain experience with the three¬ 
headed dog and hopefully let it loose on your 
MOSS portal. We recommend you try it! ^ 
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Tricks & Traps - Ask the Experts 


Q: I'm seeing a lot of events with ID 
1058 ( Windows cannot access the file 
gptinifor GPO ) and ID 1030 {Win¬ 
dows cannot query for the list of Group 
Policy objects ) in my application 
event logs on my client machines 
whenever Group Policy is processed; 
and Group Policy seems to be failing. 
What's causing these errors? 

A: These errors are common, and 
unfortunately there's no one cause— 
or solution. These errors arise when 
the client computer can't successfully 
read the Sysvol portion of a Group 
Policy Object (GPO), which is where 
the gptini file is stored. Most often, 

These errors arise 
when the client 
computer can’t read 
the Sysvol portion 
of a GPO. 


these errors occur because Windows' 
networking stack doesn't initialize 
in time for Group Policy processing 
to occur. In such cases, you'll typi¬ 
cally see that computer processing of 
Group Policy will fail, but then user 
processing of Group Policy will suc¬ 
ceed. There are a couple of Microsoft 
articles that address these network 
timing problems, including "Group 
Policy application fails on a computer 
that is running Windows 2000, Win¬ 
dows XP Service Pack 1, or Windows 
XP Service Pack 2" (supportmicrosoft 
.com/?lcbid=840669), which helps you 
fix a variety of these problems, and 
"Howto disable the Media Sensing 
feature for TCP/IP in Windows" (sup- 
port.microsoft.com/?kbid=239924), 
which may also help with these types 
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Troubleshooting a Group Policy 


processing error 

83 

Patching multiple images in 


a WIM file 

83 
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If a Windows Imaging Format (WIM) file contains multiple 
images and I need to apply a patch or driver, do I apply it to 
only one of the images? 


Although a WIM file can contain multiple OS images (e.g., 
Windows Vista Business, Vista Ultimate), the reason for col¬ 
lecting images into one WIM file is to take advantage of Sin¬ 
gle Instance Storage (SIS). However, each image is separate; 
if you install an update into the Vista Business image, the 
update affects only that image and none of the other images. 
Thus, if there are seven images in a WIM file, you have to 
patch all seven individually. 

InstantDoc ID 97350 
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of problems, especially in wireless 
scenarios. The article "A client con¬ 
nected to an Ethernet switch may 
receive several logon-related error 
messages during startup" (support. 
microsoft.com/?kbid=202840) can 
also apply in certain scenarios where 
your network switch is not initializing 
a system's Ethernet port by the time 
Windows has started up. 

The class of problems in which 
these events occur are when the gpt. 
ini is either missing for a given GPO 
or the permissions on it are such that 
the user or computer can't read them. 
In both cases, the error is usually the 
result of File Replication Service (FRS) 
problems with the Sysvol portion of a 
GPO on the domain controller (DC) 
that's currently being used by the 
computer for Group Policy process¬ 
ing. The quickest way to check this 
kind of problem is to use the gpotool. 
exe utility that ships as part of Win¬ 
dows Vista, or, for earlier OS versions, 
in the Windows Server 2003 Resource 
Kit Tools. You can use Gpotool to 
check the consistency of GPOs across 
DCs within your environment. The 
quickest way to check for problems 
from a system on which you're getting 
1058 and 1030 event errors is to run 
Gpotool against the DC that the com¬ 
puter is currently using to process 


policy (usually a DC in its local Active 
Directory—AD—site) and compare 
that to the PDC-emulator DC, which 
is typically where Group Policy 
changes originate. In the following 
example, I use Gpotool to check the 
consistency of the Default Domain 
Policy GPO, including ACLs, on both 
my local DC (dclOO) and my PDC- 
emulator DC (sdml): 

gpotool /gpo:"Default Domain Policy" 
/dc:sdml,del00 /checkacl /verbose 

The /verbose option lets me see 
full details for each comparison. 

If I find a problem with either 
missing files on my local DC or 
incorrect permissions, then its 
time to break out the FRS trouble¬ 
shooting tools, such as Sonar 
(www.microsoft.com/downloads/ 
details. aspx?FamilyID=158cb0fb - 
fe09-477c-8148-25ae02cfl5d8& 
DisplayLang=en) or try one of 
the techniques described in 
the Microsoft article "Applying Group 
Policy causes Userenv 
errors and events to occur on 
your computers that are running 
Windows Server 2003, Windows 
XP, or Windows 2000" (support 
.microsoft.com/?kbid=887303). ^ 
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Windows Power Tools 


Scregedit Streamlines Server Core 

A new tool offers help with the new OS’s GUI-less variation 


O ne of Windows Server 2008's most interesting 
aspects is its Server Core option. A Server Core 
system functions like a regular server, but it's 
missing a few pieces. Two notable missing pieces are the 
.NET Framework and—more important—most of the GUI. 
The result is a version of Server 2008 that uses less disk 
space, runs in less RAM, offers attackers fewer places to 
attack, and runs leaner than its graphical counterpart. 

I'm a command-line junkie, so I'm thrilled by the 
prospect of Server Core. I dug into an early beta as soon 
as I could get my hands on it. However, as I attempted to 
set up a Server Core system from scratch, I realized to my 
chagrin that the old saying is true: "Be careful what you 
wish for—you might get it." Although I could do just about 
everything I needed to do from the command line, a few 
items left me scratching my head. Thankfully, I stumbled 
upon the very helpful Scregedit, a command-line registry 
tool built specifically to assist in configuring Server Core. 

Before Scregedit 

One of the items I had trouble with was determining how 
to enable Remote Desktop for a Server Core system. After 
noodling around with a full Server 2008 installation, I con¬ 
cluded that enabling Remote Desktop is as simple as open¬ 
ing port 3389 on the firewall. Working through the problem, 
I could start with the command 

netsh firewall set icmpsettings opmode=disable 

I could then access the HI<EY_LOCAL_MACHINE\SYS- 
TEM\CurrentControlSet\Control\Terminal Server registry 
subkey and set the fDenyTSConnections value to 0. In a 
moment of inspiration, I realized that I could do all that 
from the command line by using the Reg command: 

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal 
Server" /v fDenyTSConnections /d 0 /t REG_DW0RD /f 

I could even cheat and use Regedit (one of the rare GUI 
tools that do work in Server Core) to set the registry entry, 
but no matter how I sliced it, I was in for a lot of typing. 
Scregedit came to the rescue at just the right time. 

Scregedit Syntax 

Scregedit is a command-line tool that offers built-in support 
for some of the most commonly modified registry entries. 
The tool's beauty is the simplicity of its syntax: 

scregedit /<parameter value> 
www.windowsitpro.com 


Alternatively, to see the current value of the parameter, you 
can simply type 

scregedit /<parameter> /v 

For example, to enable Remote Desktop, I can type 
scregedit /ar 0 

To disable it, I'd replace the 0 with a 1. (The registry entry's 
name, fDenyTSConnections, is worded so that enabling it 
enables the deny aspect; thus, you use 0 to enable. As any 
Windows vet knows, you need to get accustomed to mirror 
thinking to understand some Group Policy and registry 
settings!) To see its value, you'd type 

scregedit /ar /v 

which would (after some boilerplate information) net you 
a response of 

System\CurrentControlSet\Control\Terminal Server 
fDenyTSConnections 
View registry setting 
1 

By the way, Scregedit is actually a script. Located in the \ 
Windows\System32 folder, its name is scregedit.wsf. There¬ 
fore, it will offer better-looking output if you first type 

cscript //h:cscript 

which tells Windows to run scripts by default under the 
CScript (i.e., command-line script) engine rather than the 
default WScript (i.e., Windows script) engine. 

More Options 

As I write this column, Scregedit has just seven options. The 
/cli option offers some text with examples of the command¬ 
line way to do a number of command-line tasks—a sort of 
condensed Help file. You can use Scregedit /au 4 to have 
Server Core automatically download and install updates, 
Scregedit /cs to have Remote Desktop allow connections 
from pre-Windows Vista Remote Desktop clients, Scregedit 
/im 1 to permit remote IPsec management, and Scregedit 
/dp priority and Scregedit dw priority to adjust the DNS pri¬ 
ority and weight, respectively, of a Server Core system's SRV 
records (assuming it's a domain controller—DC). I wouldn't 
be surprised if Microsoft gave Scregedit a few more options 
before Server 2008 hits the streets. 

If you can get ahold of a copy of the Server 2008 beta, I 
encourage you to take Server Core for a spin. ^ 
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Top 10 


VMware Workstation and Server Differences 

Find out which virtualization product best fits your needs 


B eing first means a lot, and nowhere is that truer 
than in the virtualization marketplace. Micro¬ 
soft and a handful of other players are working 
hard at playing catch-up, but VMware had the first x86 
virtualization products in the marketplace and is still the 
clear leader. VMware offers three virtualization platforms: 
VMware Workstation 6.0, VMware Server 1.0.4, and ESX 
Server. ESX Server is targeted at the high-end enterprise 
space. However, VMware Workstation and VMware Server 
have overlapping features, making the target organiza¬ 
tion for these products a little less clear. So let's take a 
look at the primary differences between Workstation 
and Server to help you figure out which is right for your 
circumstances. 

M Price—One big difference between Work¬ 
station and Server is the price. Like many 
of today's virtualization products, Server 
is free. Workstation sells for $189. How¬ 
ever, you get what you pay for: As you'll see, Workstation 
provides several advanced features that aren't present in 
Server. 

9 Runs as a service—Architecturally, one of the 
biggest differences between Workstation and 
Server is that Server runs as a background ser¬ 
vice and Workstation runs as a standard desktop 
application. The trade-off is that Workstation provides 
better interactive performance but Server is better suited 
for multiuser server consolidation scenarios. This tends 
to make Workstation a better development platform and 
Server a better production platform. 

8 Multiple-user access—Because it's a desktop 
application, only one user at a time can access 
Workstation. Server's service-based implemen¬ 
tation lets it provide simultaneous multiuser 
access. Server also features a Web console for remote 
management. 

7 RAM per virtual machine—Although the first 
couple of points provide an edge to Server, when 
you start digging into the more advanced details, 
you'll see that Workstation is worth the extra 
money. For instance, consider RAM capabilities. Worksta¬ 
tion supports virtual machines (VMs) with up to 8GB of 
RAM but Server supports a maximum of only 3.6GB per 
VM. Both products provide USB support as well as support 
for 2-way virtual processors. 


6 Snapshots—Snapshots is a feature that lets you 
capture a point-in-time image of a VM. You can 
use the image to roll the VM back to that captured 
state. The snapshot isn't a complete copy of the 
VM; it captures only the changes to the VM image. Both 
Workstation and Server support basic snapshots. 

Multiple snapshots—The big difference between 
Workstation and Server snapshots is support for 
multiple snapshots. Server supports only a single 
snapshot; Workstation supports multiple snap¬ 
shots as well as providing a snapshot manager that lets you 
easily view and manage the available snapshots. 

4 VM cloning—VM cloning is an advanced feature 
supported by Workstation that's not available in 
Server. The cloning feature lets you quickly copy 
a VM. A snapshot requires the presence of the 
base image, but you can use the cloning feature to create a 
completely new and independent VM. 

3 VM Teams—Another advanced feature that's 
supported in Workstation but not in Server is VM 
Teams. The Teams feature lets you manage mul¬ 
tiple VMs as a group. For example, you can make 
your VM domain controller (DC) startup, followed by one 
or more VM networked clients that might require that DC 
for authentication or other network services. 

Host-guest drag-and-drop—Host-guest drag- 
and-drop lets you drag objects from the desktop 
or Windows Explorer from the host to a guest 
VM. Workstation, with its desktop application 
architecture, fully supports host-guest drag-and-drop, but 
the service-oriented Server product doesn't. 


| VM movie capture—You probably 
didn't even know Workstation could 
do this, did you? Choose VM, Cap¬ 
ture Movie from the menu bar, and 
Workstation's movie capture feature 
1 lets you record all of the activity in 
a VM and save it as an AVI file. You 
can edit the AVI with a movie editor such as Windows 
Movie Maker or just play it in Windows Media Player. 
Server doesn't support movie capture. ^ 
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EqualLogic PS300E/PS400E 
KACE Systems KBOX MOO .. . 
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iSCSI SAN Storage Hardware 

EqualLogic PS300E/PS400E 


Reader: 
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I n our company we were using a 
Fibre Channel SAN that simply 
wasn't working out. Aside from the 
natural complexities of configuring and 
maintaining Fiber Channel LUNs, we 
were also having reliability issues with 
the IBM Inrange Fibre Channel Direc¬ 
tor. We went through round after round 
with IBM and third-party support but the 
solution never worked right. We needed 
another solution, and we decided on 
iSCSI SAN storage arrays. 

I ran across EqualLogic at a local trade 
show many years ago. I wasn't even look¬ 
ing for storage at the time; we had installed an IBM Fibre Channel SAN less 
than a year prior. It was about a year after that first meeting that we made 
the switch from Fibre Channel to iSCSI. We did a full review of the major 
iSCSI vendors and ultimately chose to buy an EqualLogic PS200 array. 

The first array we purchased took a few hours to install due to mis- 
configuration of our Fibre Channel ports, but in general a new PS array 
can be out of the box and online within an hour. We've had no failures 
or major issues since implementing EqualLogic. We're currently using 
several EqualLogic PS arrays, including one EqualLogic PS300E and 
two EqualLogic PS400E units. 

What made us choose EqualLogic over other vendors was how easy 
it was to use, as well as a full feature set that moved it to the head of the 


—Chris Fricke, senior IT administrator 


pack in the "most bang for the buck" category. It was jaw-dropping to 
experience just how much more our new, inexpensive SAN could do than 
the old, expensive SAN for no additional cost, such as replication and 
snapshots. Linear scalability for both capacity and performance were also 
very appealing and have since proven to be valuable features. 

The features I like best about the EqualLogic products are the sim¬ 
plicity, reliability, and performance. I don't need to interface with the 
SAN on a daily basis, it doesn't need lots of attention, and when I do 
work with it the experience is quick, intuitive, and reliable. Snapshots, 
replication, volume cloning, pooling, and tiering are all great features 
and have made EqualLogic a long-term investment for us. 

There are some things I would like to see improved in future ver¬ 
sions. I'd really love it if reboots were no longer necessary when doing 
firmware updates, and the reporting and monitoring interface could 
use some updates as well. Monitoring is probably the weakest area of 
the UI. 

I couldn't begin to calculate the amount of time and stress we've 
saved by using EqualLogic over Fibre Channel. The fact that we decided 
to completely phase out our Fibre Channel SAN before it was even 
completely paid for speaks volumes: It was replaced exclusively by 
EqualLogic Peer Storage. 
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What’s Hot 


Manage Network Resources via an Appliance 

KACE Systems KBOX 1100 


I was looking for a way to stream¬ 
line the distribution of patches 
and improve our Help desk solu¬ 
tion in our office IT environment. I'd 
learned about the KBOX appliance by 
reading an IT trade publication and 
decided to give it a try. We selected the 
KBOX 1100 appliance, which can track 
hardware and software inventory, set 
configuration policy, distribute soft¬ 
ware and patches, and which provides an integrated Help desk solu¬ 
tion. All of the KBOX features are accessible through a Web-based 
interface. 

Overall the KBOX 1100 was very easy to deploy. We did encounter 
a few issues with agent deployment but were able to resolve them fairly 
quickly with KACE Support. The Web-based management GUI makes 
the product very easy to use and administer. When we have needed 
technical support we Ve been happy with the results. 

In terms of our Help desk activities, the KBOX does a great job of 


Reader: 

James Krochmal 
IT Manager 

Product: 

KBOX 1100 

Company: 

KACE Systems 
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keeping a complete database of all of our Help tickets and their current 
status. It even integrates with our hardware and software inventory, and 
it also allows me to pull Help desk reports by users and departments. 
We can see if some users keep having the same problems and can then 
use that information to make a training recommendation. The KBOX 
Help desk feature has saved us a lot of time. Although it's a little hard to 
measure the exact amount of time we've saved, having all the info we 
need to follow up on a ticket in one place has helped us respond more 
quickly and easily to Help requests. 

The KBOX has many features, but a few of my favorites are the 
easy, reliable patching; the integrated inventory and Help desk; and 
the scripting engine. There is some room for improvement, and I think 
that the ability to save customized lists of users would be helpful. I also 
think the Web GUI tends to log off users too quickly, so I wish there was 
a setting we could adjust for that. 

Those complaints aside, I have to say that Tve been very happy 
with the KBOX 1100 and would be happy to recommend it to other IT 
managers. V 
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We offer a variety of hosting packages 
and servers to fit your needs and budget. 


©2007 1&1 Internet, Inc. All rights reserved. Visi t 1and1.com for full promotional offer details. 

* Offer valid for Business Package only, 12 month minimum contract term required. 

** Offer valid for Enterprise I and II packages only. 12 month minimum contract term required. Discounts taken monthly through the duration of the contract. Offers 
valid 11/2/2007 through 12/31/2007. Prices based on comparable Linux web hosting package prices, effective 10/24/2007. Product and program specifications, 
availability, and pricing subject to change without notice. All other trademarks are the property of their respective owners. 
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Visit us now 1and1.com 
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Check out one of our essential guides to keep 
up with the latest information on SQL Server. 
With 13 essential guides available exclusively 
on SQL, all the information you need is just a 
click away at www.sqlmag.com/essential. 

Take a look at the newest 
Essential Guide: 

The Essential Guide to 
Reporting Services Tips 
and Tricks. 
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www.wlndowsitpro.com/go/ 

90degree/EG/?code=sqlmag. 
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SEND US YOUR INDUSTRY HUMOR! Email your funny screenshots, favorite end-user moments, and humorous IT-related pics to 
rumors@windowsitpro.com. If we use your submission, you’ll receive a Ctrl+Alt+Del coffee mug. 
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No activity found dude 
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File Server Resource Manager 


Failed to send the test e-mail due to the following error: Failure sending mail. 


AOL Instant Messenger Error 


O You are attempting to sign on again too soon. Please try again 
later. 


| OK J | More Info 


Oh, w 
I get it 


Later, dude 


Apostolos Fotakelis, a 
systems administrator at 
Aristotle University of Thessaloniki, 
recently vacationed at Zakynthos 
Island’s Limnionas beach in Greece. Naturally, he 
brought along his favorite beach reading material. 
If you’d like to share your own excellent photos of 
our magazine in exotic locales, drop us a line! 



by Scott Adams 


I CANT DO IAY WORK 
BECAUSE THE INTERNET 
IS TOO FASCINATING. 




THE PHYSICAL WORLD 
NO LONGER HOLDS IAY 
INTEREST, I FIND JOY 
ONLY ON THE INTERNET 


u 

c 



CAN I TAKE A HIT 
ON YOUR i PHONE 
BEFORE I GO B ACK 
TO (AY CUBICLE? 
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One product, five defenders. 

Five anti-virus engines. One choice. 


Enhance your e, 
today with gfi 


v\AIL DEFENSES 
Mai INSECURITY 


Gl iMailSecurity 

Complete email security with up to five anti-virus engines for Exchange/SMTP/Lotus 


No single anti-virus scanner vendor is the BEST and can stop ALL viruses. To obtain maximum security, you need 
GFI MailSecurity which uses not one, but up to five virus scanners to check all company email, with limited or no effect 
on network and server performance. 


\K 

McAfee 


GFI MailSecurity is better priced than most single anti-virus engine solutions on the market. With multiple anti-virus 
engines you: 

• React fastest to the latest virus threats by receiving the quickest virus signature updates 

• Take advantage of all their strengths because no single anti-virus scanner is the BEST 

• Virtually eliminate the chances of an infection. 


NORMAN 


bftdsknder 
Jf AUG And-Vlrus 


Download your FREE trial version from www.gfi.com/msw/ 

NETWORK SECURITY 
CONTENT SECURITY 
MESSAGING 


tel: +1 (888) 243-4329 | fax: +1 (919) 379-3402 | email: sales@gfi.com | url: www.gfi.com/msw/ 























Feeling half-prepared for 
your next security review? 



ScriptLogic's File Server Compliance Solution includes 
three award-winning server management products, 
combined to offer a comprehensive cure for compliance 
and best-practice headaches. 

With the File Server Compliance Solution, you will be 
able to proactively assess, manage, and validate critical 
Windows security with ease! 

Ease the burden of security assessment 

140 turnkey reports or customize to meet your needs 

Manage security easily and efficiently 

Manage NTFS, share, registry and other permissions centrally 
Backup and restore NTFS permissions to enforce standards 

Simplify Validation and Reporting 

Generate detailed reports on-demand 
Automate reports and email notifications 


Download a 30-day 
evaluation of these 
products today and 
get this Windows 
security eBook free! 


www.scriptlogic.com/getready 
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